[midPoint] Unlock user after password reset in Active Directory
Oleksandr Nekriach
o.nekriach at dynatech.lv
Fri Dec 14 10:34:46 CET 2018
Hello guys,
I have faced with a problem with outbound mapping behavior.
I need to unlock user after password reset in Active Directory. To do this
I should set AD attribute lockoutTime=0
In the case of *NORMAL* strength mapping, lockoutTime attribute value
remains unchanged but
in case of *STRONG* strength mapping, lockoutTime attribute value set to 0
as expected.
Is it a bug or expected behavior of mapping?
Into resource configuration, I have added an outbound mapping:
<attribute id="70">
<c:ref>ri:lockoutTime</c:ref>
<displayName>lockoutTime</displayName>
<outbound>
<strength>normal</strength>
<tolerant>false</tolerant>
<source>
<name>lockoutTime</name>
<c:path>$shadow/attributes/lockoutTime</c:path>
</source>
<source>
<c:path>credentials/password/value</c:path>
</source>
<expression>
<value>0</value>
</expression>
<condition>
<script xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>
lockoutTime!=null || lockoutTime>0
</code>
</script>
</condition>
</outbound>
</attribute>
Schema attribute modification for operational attribute.
<xsd:element minOccurs="0" name="lockoutTime"
type="xsd:long">
<xsd:annotation>
<xsd:appinfo>
<a:displayOrder>2270</a:displayOrder>
<ra:nativeAttributeName>lockoutTime</ra:nativeAttributeName>
<ra:frameworkAttributeName>lockoutTime</ra:frameworkAttributeName>
*<ra:returnedByDefault>true</ra:returnedByDefault>*
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Stack trace.
2018-12-14 11:09:44,659 [] [pool-6-thread-553] TRACE
(com.evolveum.midpoint.model.common.mapping.Mapping): *Mapping trace*:
---[ MAPPING in outbound mapping for {.../resource/instance-3}lockoutTime
in resource:bc9d21ce-62dd-46bc-0044-65c4296cbbb7(Active
Directory)]---------------------------
Stregth: *NORMAL*
Source: lockoutTime:
old=RA({.../resource/instance-3}lockoutTime):[PPV(Long:131892516017608914)],
delta=null,
new=RA({.../resource/instance-3}lockoutTime):[PPV(Long:131892516017608914)]
Source: value:
old=PP({.../common/common-3}value):[PPV(ProtectedStringType:ProtectedStringType([encrypted
data]))], delta=PropertyDelta(credentials/password /
{.../common/common-3}value, REPLACE),
new=PP({.../common/common-3}value):[PPV(ProtectedStringType:ProtectedStringType([encrypted
data]))]
Target: rRAD:{.../resource/instance-3}lockoutTime {xsd:}long[0,1],RAM
native=lockoutTime framework=lockoutTime,Disp,OUT,IN:MODEL
Expression: literal: PVDeltaSetTriple(zero: [PPV(Long:0)]; plus: []; minus:
[]; )
Condition: true -> true
Result: unchanged: 0
2018-12-14 11:22:50,407 [] [pool-6-thread-557] TRACE
(com.evolveum.midpoint.model.common.mapping.Mapping): *Mapping trace:*
---[ MAPPING in outbound mapping for {.../resource/instance-3}lockoutTime
in resource:bc9d21ce-62dd-46bc-0044-65c4296cbbb7(Active
Directory)]---------------------------
Stregth: *STRONG*
Source: lockoutTime:
old=RA({.../resource/instance-3}lockoutTime):[PPV(Long:131892516017608914)],
delta=null,
new=RA({.../resource/instance-3}lockoutTime):[PPV(Long:131892516017608914)]
Source: value:
old=PP({.../common/common-3}value):[PPV(ProtectedStringType:ProtectedStringType([encrypted
data]))], delta=null,
new=PP({.../common/common-3}value):[PPV(ProtectedStringType:ProtectedStringType([encrypted
data]))]
Target: rRAD:{.../resource/instance-3}lockoutTime {xsd:}long[0,1],RAM
native=lockoutTime framework=lockoutTime,Disp,OUT,IN:MODEL
Expression: literal: PVDeltaSetTriple(zero: [PPV(Long:0)]; plus: []; minus:
[]; )
Condition: true -> true
Result: unchanged: 0
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>
+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>
Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181214/3c5a0ca2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181214/3c5a0ca2/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181214/3c5a0ca2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181214/3c5a0ca2/attachment-0002.png>
More information about the midPoint
mailing list