[midPoint] Error while Synchronization

Nitin G. Prabhu Nitin.Prabhu at mastek.com
Fri Apr 11 12:59:15 CEST 2014 

Thanks Ivan again for such a detailed explanation.I have made the changes as per your suggestion but still is not working



I get below error if I try to enable my DB account on the user and try to save it.



Subresult com.evolveum.midpoint.provisioning.ucf.api.ConnectorInstance.modifyObject of operation com.evolveum.midpoint.provisioning.api.ProvisioningService.modifyObject is still UNKNOWN during cleanup; during handling of exception com.evolveum.midpoint.util.exception.SystemException: java.lang.NullPointerException: null, Couldn't add object. Object already exists: Account already exists on the resource: javax.naming.NameAlreadyBoundException([LDAP: error code 68 - The entry uid=200395948546,ou=people,o=nhs cannot be added because an entry with that name already exists])



My requirement is  a user is available in DB needs to synchronized with LDAP



A user in DB  is getting provisioned in Midpoint i.e both ways Midpt to DB and DB to Midpt and LDAP account is also assigned after making changes[object template and system configuration as per your suggestion

]but not from Midpt to LDAP



I tried to manually assign the account but still getting above error.I am not able to understand why midpoint is trying to create account in LDAP which is already available ideally it should update is that correct?



Regards,

Nitin



-----Original Message-----
From: midpoint-bounces at lists.evolveum.com [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: 11 April 2014 08:20
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error while Synchronization



Hi Nitin,



your understanding of livesync between DB - midPoint - LDAP was correct:

you have livesync between SOURCE (which is DB table in your case) and midPoint, and you don't need another livesync between midPoint and LDAP, because in your case the LDAP server is the TARGET resource.



So only one livesync task should be running.

(You _could_ have multiple livesync tasks, if you'd have multiple source resources, but this is not your case and I don't recomment to complicate your environment at this stage.)



Regarding the problem with "null" values for midPoint users' Given Name/Family Name/Full Name attributes: the remedy is quite simple: just edit your DB Table resource schema, and add inbound expressions for your "ri:firstname" or "ri:lastname" attributes. They should set <target>$user/givenName</target>, or <target>$user/familyName</target>,

respectively.



You've defined inbound expression for icfs:name becoming midpoint user/name yesterday. The concept is the same for all attributes that you wish to synchronize FROM the source resource to midPoint. In your case, it's firstName to givenName, lastname to familyName, maybe other attributes.



Regarding automatic provisioning to LDAP, the "problem" is because if you create your midPoint users from DB, you're probably not saying that they should have accounts in LDAP created. This is configured elsewhere (in object template objects and in System Configuration you specify which object template should be used).



Please refer to the sample object

samples/objects/user-template-complex.xml to see how LDAP account can be constructed for every user created in midPoint.



Also see your System Configuration object in midPoint (Repository objects) and look for "<defaultUserTemplate>" element. Here you specify the object template that should be used. The object itself is also in Repository objects, Object Template type. There is object template used even now, as you see your users have "fullName" attribute constructed to "null null" - this is done by the object template, because there are no givenName/familyName attributes.



I'd recommend to make small steps. First try to provision from midPoint to LDAP (no livesync). If this works, try to livesync from DB to midPoint and add/assign LDAP account for this created users manually - via GUI. If this works, you can make it together using the object template. You will definitely need to fill givenName/familyName attributes in midPoint, because "sn" (LDAP's family name) is mandatory and provisioning will fail without this attribute.



Please refer to the following wiki pages for the Synchronization concept introduction and more information:



https://wiki.evolveum.com/display/midPoint/Synchronization

https://wiki.evolveum.com/display/midPoint/Synchronization+Examples

https://wiki.evolveum.com/display/midPoint/Outbound+Mapping

https://wiki.evolveum.com/display/midPoint/Inbound+Mapping

https://wiki.evolveum.com/display/midPoint/Synchronization+Situations



I believe the study of these pages and correlating them with your already existing configuration and our samples will help you to better understand the whole process.



Regards,

Ivan



--

  Ing. Ivan Noris

     IT Architect

  nLight, s.r.o.

  ___________________________________________________

  "Semper cautus - semper paratus - semper idem Vix."



_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint
MASTEK LTD.
In the US, we're called MAJESCOMASTEK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from desktop and server.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140411/08b86a31/attachment.htm>

More information about the midPoint mailing list