[midPoint] ?==?utf-8?q? Ad synch Group-User failed

TIPA Sylvaire-Kevin sylvaire-kevin.tipa at mythalesgroup.com
Mon Mar 5 09:29:11 CET 2018


Hey,

I have find my problem, the "strong" option was missing. This is the right meta-role, I think it's good to add it in your sample page (on wiki), I just found it in sample source on github.

add it here : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
and here : https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization

<inducement id="2">
        <construction>
            <resourceRef
                oid="41746865-6e61-1000-0001-000000000001"
                relation="org:default"
                type="c:ResourceType" />
            <kind>account</kind>
            <intent>default</intent>
            <association>
                <c:ref>ri:group</c:ref>
                <outbound>
                    <strength>strong</strength>
                    <expression>
                        <associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
                            <projectionDiscriminator>
                                <kind>entitlement</kind>
                                <intent>group</intent>
                            </projectionDiscriminator>
                        </associationFromLink>
                    </expression>
                </outbound>
            </association>
        </construction>
        <order>2</order>
    </inducement>


--
Cordialement.
-------- Message original --------
Sujet: [midPoint] Ad synch Group-User failed
Date: Vendredi 2 Mars 2018 12:32 CET
De: "TIPA Sylvaire-Kevin" <sylvaire-kevin.tipa at mythalesgroup.com>
Répondre à: midPoint General Discussion <midpoint at lists.evolveum.com>
Pour: midpoint at lists.evolveum.com


  
Hello,

I have a really strange event in my AD synch .. I explain, I have the following setup :
- 1 resource Active directory
- 1 Metarole for Group Ad sync (based on sample : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO)
- 1 Role with assignement on the metarole
- 1 User with assignement on the previous role.


- When I assign metarole to my role : OK, all elements make the job and my role in now a group in my AD
- When I assign a user (with or without AD constrcution already done) to my role : OK, my user have a AD account and this account is memberOf my group
- When I make a reconcile on my role : NOK, Midpoint execute delta for delete all the member (delete the association memberOf, not the member himself)
If i reconcile my user, nothing is do.

My resource and mly metarole are like the sample.. Any Idée ?




METRAROLE : 
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="41746865-6e61-2001-0001-000000000010" version="1">
      <name>metarole-ad-sync</name>
      <activation>
         <effectiveStatus>enabled</effectiveStatus>
         <enableTimestamp>2017-08-08T14:30:44.995Z</enableTimestamp>
      </activation>
      <iteration>0</iteration>
      <iterationToken/>
      <inducement id="1">
         <construction>
            <resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/>
            <kind>entitlement</kind>
            <intent>group</intent>
         </construction>
      </inducement>
      <inducement id="2">
         <construction>
            <resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/>
            <kind>account</kind>
            <intent>default</intent>
            <association>
               <c:ref>ri:group</c:ref>
               <outbound>
                  <expression>
                     <associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
                        <projectionDiscriminator>
                           <kind>entitlement</kind>
                           <intent>group</intent>
                        </projectionDiscriminator>
                     </associationFromLink>
                  </expression>
               </outbound>
            </association>
         </construction>
         <order>2</order>
      </inducement>
   </role>



Resource : 
<schemaHandling>
         <objectType>
            <kind>account</kind>
            <displayName>User Account</displayName>
            <default>true</default>
            <objectClass>ri:user</objectClass>
            <attribute>
               <c:ref>ri:dn</c:ref>
               <displayName>Distinguished Name</displayName>
               <limitations>
                  <access>
                     <read>true</read>
                     <add>true</add>
                     <modify>false</modify>
                  </access>
               </limitations>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <authoritative>false</authoritative>
                  <exclusive>false</exclusive>
                  <strength>weak</strength>
                  <source>
                     <c:path>$user/fullName</c:path>
                  </source>
                  <expression>
                     <script xsi:type="c:ScriptExpressionEvaluatorType">
                        <code>
                        'CN=' + fullName + iterationToken + ',OU=Users,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'
                    </code>
                     </script>
                  </expression>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:sAMAccountName</c:ref>
               <limitations>
                  <access>
                     <read>true</read>
                     <add>true</add>
                     <modify>false</modify>
                  </access>
               </limitations>
               <matchingRule xmlns:gen730="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen730:stringIgnoreCase</matchingRule>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <authoritative>false</authoritative>
                  <exclusive>false</exclusive>
                  <strength>weak</strength>
                  <source>
                     <c:path>$user/name</c:path>
                  </source>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:cn</c:ref>
               <limitations>
                  <minOccurs>0</minOccurs>
               </limitations>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <authoritative>false</authoritative>
                  <exclusive>false</exclusive>
                  <strength>weak</strength>
                  <source>
                     <c:path>fullName</c:path>
                  </source>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:sn</c:ref>
               <limitations>
                  <minOccurs>0</minOccurs>
               </limitations>
               <outbound>
                  <source>
                     <c:path>familyName</c:path>
                  </source>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:givenName</c:ref>
               <outbound>
                  <source>
                     <c:path>givenName</c:path>
                  </source>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:userPrincipalName</c:ref>
               <outbound>
                  <source>
                     <c:path>$user/name</c:path>
                  </source>
                  <expression>
                     <script xsi:type="c:ScriptExpressionEvaluatorType">
                        <code>
                        name + iterationToken + '@pprod.agora-t.net'
                    </code>
                     </script>
                  </expression>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:pwdLastSet</c:ref>
               <outbound>
                  <expression>
                     <value xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:long">-1</value>
                  </expression>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:createTimeStamp</c:ref>
               <fetchStrategy>explicit</fetchStrategy>
            </attribute>
            <attribute>
               <c:ref>ri:nTSecurityDescriptor</c:ref>
               <limitations>
                  <minOccurs>0</minOccurs>
               </limitations>
            </attribute>
            <attribute>
               <c:ref>ri:instanceType</c:ref>
               <limitations>
                  <minOccurs>0</minOccurs>
               </limitations>
            </attribute>
            <attribute>
               <c:ref>ri:objectCategory</c:ref>
               <limitations>
                  <minOccurs>0</minOccurs>
               </limitations>
               <outbound>
                  <expression>
                     <value>CN=Person,CN=Schema,CN=Configuration,DC=users,DC=pprod,DC=agorat,DC=local</value>
                  </expression>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:displayName</c:ref>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <authoritative>false</authoritative>
                  <exclusive>false</exclusive>
                  <strength>normal</strength>
                  <source>
                     <c:path>$user/givenName</c:path>
                  </source>
                  <source>
                     <c:path>$user/familyName</c:path>
                  </source>
                  <expression>
                     <script xsi:type="c:ScriptExpressionEvaluatorType">
                        <code>
                            (givenName + '.' + familyName).toString().toLowerCase()
                        </code>
                     </script>
                  </expression>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:mail</c:ref>
               <outbound>
                  <source>
                     <c:path>$user/emailAddress</c:path>
                  </source>
               </outbound>
            </attribute>
            <association>
               <c:ref>ri:group</c:ref>
               <displayName>AD Group Membership</displayName>
               <kind>entitlement</kind>
               <intent>group</intent>
               <direction>objectToSubject</direction>
               <associationAttribute>ri:member</associationAttribute>
               <valueAttribute>ri:dn</valueAttribute>
               <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
               <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
               <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
            </association>
            <activation>
               <administrativeStatus>
                  <outbound/>
               </administrativeStatus>
            </activation>
            <credentials>
               <password>
                  <outbound/>
               </password>
            </credentials>
         </objectType>
         <objectType>
            <kind>entitlement</kind>
            <intent>group</intent>
            <displayName>Athena Groups</displayName>
            <default>true</default>
            <objectClass>ri:group</objectClass>
            <attribute>
               <c:ref>ri:dn</c:ref>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <authoritative>true</authoritative>
                  <exclusive>false</exclusive>
                  <strength>normal</strength>
                  <source>
                     <c:path>$focus/name</c:path>
                  </source>
                  <expression>
                     <script xsi:type="c:ScriptExpressionEvaluatorType">
                        <code>
                            'CN=' + name + ',OU=Groups,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'
                        </code>
                     </script>
                  </expression>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:cn</c:ref>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <authoritative>true</authoritative>
                  <exclusive>false</exclusive>
                  <strength>normal</strength>
                  <source>
                     <c:path>$focus/name</c:path>
                  </source>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:description</c:ref>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <source>
                     <c:path>description</c:path>
                  </source>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:member</c:ref>
               <displayName>Member</displayName>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
            </attribute>
            <attribute>
               <c:ref>ri:groupType</c:ref>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <expression>
                     <value>-2147483646</value>
                  </expression>
               </outbound>
            </attribute>
            <attribute>
               <c:ref>ri:sAMAccountName</c:ref>
               <tolerant>false</tolerant>
               <exclusiveStrong>false</exclusiveStrong>
               <outbound>
                  <authoritative>true</authoritative>
                  <exclusive>false</exclusive>
                  <strength>normal</strength>
                  <source>
                     <c:path>$focus/name</c:path>
                  </source>
               </outbound>
            </attribute>
         </objectType>
      </schemaHandling>
      <capabilities>
         <cachingMetadata>
            <retrievalTimestamp>2017-10-03T08:28:33.067Z</retrievalTimestamp>
            <serialNumber>2af0af9006ddad16-bd8b78664df70159</serialNumber>
         </cachingMetadata>
         <native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType">
            <cap:schema/>
            <cap:liveSync/>
            <cap:testConnection/>
            <cap:create/>
            <cap:read/>
            <cap:update/>
            <cap:delete/>
            <cap:script>
               <cap:host>
                  <cap:type>resource</cap:type>
               </cap:host>
               <cap:host>
                  <cap:type>connector</cap:type>
               </cap:host>
            </cap:script>
            <cap:addRemoveAttributeValues/>
            <cap:activation>
               <cap:status/>
            </cap:activation>
            <cap:credentials>
               <cap:password>
                  <cap:returnedByDefault>false</cap:returnedByDefault>
               </cap:password>
            </cap:credentials>
            <cap:auxiliaryObjectClasses/>
            <cap:pagedSearch/>
         </native>
         <configured xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType">
            <cap:liveSync>
               <cap:enabled>true</cap:enabled>
            </cap:liveSync>
            <cap:testConnection>
               <cap:enabled>true</cap:enabled>
            </cap:testConnection>
            <cap:create>
               <cap:enabled>true</cap:enabled>
            </cap:create>
            <cap:read>
               <cap:enabled>true</cap:enabled>
            </cap:read>
            <cap:update>
               <cap:enabled>true</cap:enabled>
            </cap:update>
            <cap:delete>
               <cap:enabled>true</cap:enabled>
            </cap:delete>
            <cap:script>
               <cap:enabled>true</cap:enabled>
               <cap:host>
                  <cap:type>resource</cap:type>
               </cap:host>
               <cap:host>
                  <cap:type>connector</cap:type>
               </cap:host>
            </cap:script>
            <cap:addRemoveAttributeValues>
               <cap:enabled>true</cap:enabled>
            </cap:addRemoveAttributeValues>
            <cap:activation>
               <cap:enabled>true</cap:enabled>
               <cap:status>
                  <cap:enabled>true</cap:enabled>
                  <cap:returnedByDefault>true</cap:returnedByDefault>
                  <cap:ignoreAttribute>true</cap:ignoreAttribute>
               </cap:status>
               <cap:validFrom>
                  <cap:enabled>false</cap:enabled>
                  <cap:returnedByDefault>false</cap:returnedByDefault>
               </cap:validFrom>
               <cap:validTo>
                  <cap:enabled>false</cap:enabled>
                  <cap:returnedByDefault>false</cap:returnedByDefault>
               </cap:validTo>
               <cap:lockoutStatus>
                  <cap:enabled>false</cap:enabled>
                  <cap:returnedByDefault>false</cap:returnedByDefault>
                  <cap:ignoreAttribute>true</cap:ignoreAttribute>
               </cap:lockoutStatus>
            </cap:activation>
            <cap:credentials>
               <cap:enabled>true</cap:enabled>
               <cap:password>
                  <cap:enabled>true</cap:enabled>
                  <cap:returnedByDefault>false</cap:returnedByDefault>
               </cap:password>
            </cap:credentials>
            <cap:auxiliaryObjectClasses>
               <cap:enabled>true</cap:enabled>
            </cap:auxiliaryObjectClasses>
         </configured>
      </capabilities>
      <scripts>
         <script>
            <host>resource</host>
            <language>powershell</language>
            <argument>
               <c:path xsi:type="t:ItemPathType">$user/name</c:path>
               <name>identity</name>
            </argument>
            <code>powershell "D:\midpoint\create-certificate\create-certificate.ps1 $identity"</code>
            <operation>add</operation>
            <kind>account</kind>
            <order>after</order>
         </script>
      </scripts>
      <synchronization>
         <objectSynchronization>
            <name>Account sync</name>
            <objectClass>ri:user</objectClass>
            <kind>account</kind>
            <intent>default</intent>
            <focusType>c:UserType</focusType>
            <enabled>true</enabled>
            <correlation>
               <q:equal>
                  <q:path>c:name</q:path>
                  <expression xmlns="">
                     <path>$user/sAMAccountName</path>
                  </expression>
               </q:equal>
            </correlation>
            <reconcile>false</reconcile>
            <opportunistic>true</opportunistic>
            <reaction>
               <situation>linked</situation>
               <synchronize>true</synchronize>
               <reconcile>false</reconcile>
            </reaction>
            <reaction>
               <situation>deleted</situation>
               <reconcile>false</reconcile>
               <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink">
                  <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri>
               </action>
            </reaction>
            <reaction>
               <situation>unlinked</situation>
               <reconcile>false</reconcile>
               <action>
                  <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
               </action>
            </reaction>
            <reaction>
               <situation>unmatched</situation>
               <channel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
               <synchronize>true</synchronize>
               <reconcile>false</reconcile>
               <objectTemplateRef oid="41746865-6e61-9001-0000-000000000010" type="c:ObjectTemplateType">
                  <targetName>Athena User Template</targetName>
               </objectTemplateRef>
               <action>
                  <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
               </action>
            </reaction>
         </objectSynchronization>
         <objectSynchronization>
            <name>Athena Transversal Group sync</name>
            <objectClass>ri:group</objectClass>
            <kind>entitlement</kind>
            <intent>group</intent>
            <focusType>c:RoleType</focusType>
            <enabled>true</enabled>
            <correlation>
               <q:equal>
                  <q:path>c:name</q:path>
                  <expression>
                     <path>$shadow/attributes/cn</path>
                  </expression>
               </q:equal>
            </correlation>
            <reconcile>false</reconcile>
            <reaction>
               <situation>linked</situation>
               <synchronize>true</synchronize>
               <reconcile>false</reconcile>
            </reaction>
            <reaction>
               <situation>deleted</situation>
               <reconcile>false</reconcile>
               <action/>
            </reaction>
            <reaction>
               <situation>unlinked</situation>
               <reconcile>false</reconcile>
               <action>
                  <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
               </action>
            </reaction>
            <reaction>
               <situation>unmatched</situation>
               <reconcile>false</reconcile>
               <action>
                  <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
               </action>
            </reaction>
         </objectSynchronization>
      </synchronization>
   </resource>


--
Cordialement.
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180305/dd4b2ce8/attachment.htm>


More information about the midPoint mailing list