[midPoint] Error while Synchronization
Ivan Noris
ivan.noris at nlight.eu
Fri Apr 11 09:19:47 CEST 2014
Hi Nitin,
your understanding of livesync between DB - midPoint - LDAP was correct:
you have livesync between SOURCE (which is DB table in your case) and
midPoint, and you don't need another livesync between midPoint and LDAP,
because in your case the LDAP server is the TARGET resource.
So only one livesync task should be running.
(You _could_ have multiple livesync tasks, if you'd have multiple source
resources, but this is not your case and I don't recomment to complicate
your environment at this stage.)
Regarding the problem with "null" values for midPoint users' Given
Name/Family Name/Full Name attributes: the remedy is quite simple: just
edit your DB Table resource schema, and add inbound expressions for your
"ri:firstname" or "ri:lastname" attributes. They should set
<target>$user/givenName</target>, or <target>$user/familyName</target>,
respectively.
You've defined inbound expression for icfs:name becoming midpoint
user/name yesterday. The concept is the same for all attributes that you
wish to synchronize FROM the source resource to midPoint. In your case,
it's firstName to givenName, lastname to familyName, maybe other
attributes.
Regarding automatic provisioning to LDAP, the "problem" is because if you
create your midPoint users from DB, you're probably not saying that they
should have accounts in LDAP created. This is configured elsewhere (in
object template objects and in System Configuration you specify which
object template should be used).
Please refer to the sample object
samples/objects/user-template-complex.xml to see how LDAP account can be
constructed for every user created in midPoint.
Also see your System Configuration object in midPoint (Repository objects)
and look for "<defaultUserTemplate>" element. Here you specify the object
template that should be used. The object itself is also in Repository
objects, Object Template type. There is object template used even now, as
you see your users have "fullName" attribute constructed to "null null" -
this is done by the object template, because there are no
givenName/familyName attributes.
I'd recommend to make small steps. First try to provision from midPoint to
LDAP (no livesync). If this works, try to livesync from DB to midPoint and
add/assign LDAP account for this created users manually - via GUI. If this
works, you can make it together using the object template. You will
definitely need to fill givenName/familyName attributes in midPoint,
because "sn" (LDAP's family name) is mandatory and provisioning will fail
without this attribute.
Please refer to the following wiki pages for the Synchronization concept
introduction and more information:
https://wiki.evolveum.com/display/midPoint/Synchronization
https://wiki.evolveum.com/display/midPoint/Synchronization+Examples
https://wiki.evolveum.com/display/midPoint/Outbound+Mapping
https://wiki.evolveum.com/display/midPoint/Inbound+Mapping
https://wiki.evolveum.com/display/midPoint/Synchronization+Situations
I believe the study of these pages and correlating them with your already
existing configuration and our samples will help you to better understand
the whole process.
Regards,
Ivan
--
Ing. Ivan Noris
IT Architect
nLight, s.r.o.
___________________________________________________
"Semper cautus - semper paratus - semper idem Vix."
More information about the midPoint
mailing list