From radovan.semancik at evolveum.com  Mon Dec  1 11:12:50 2014
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Mon, 01 Dec 2014 11:12:50 +0100
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
Message-ID: <547C3F22.90508@evolveum.com>

Hi Jason,

This is slightly different. The condition tells whether to apply the 
specific <objectSynchronization> block or on. The primary use of the 
condition is to sort objects of the same object class to "intents" (see 
https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass). 
The primary meaning of this is to synchronize group object with a role 
object (or org object). But it does not synchronize account-group 
association (i.e. group membership) with a user-role assignment.

With a bit of trickery it could theoretically work for your case. But I 
doubt that it will be practical. You will need one 
<objectSynchronization> block for each group that you are trying to 
synchronize.

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 11/29/2014 05:21 PM, Jason Everling wrote:
> Is what I was asking, in the wiki it says you can add a condition to 
> the synchronization policy, under 
> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>
>   * *condition* is an expression which has to evaluate to true for the
>     policy to be used. It can be used for a very fine-grain selection
>     of applicable policies.
>
>
> I found a sample, kind of here, 
> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>
> I am just a little confused on the condition statement, I was thinking 
> it would look something like,
>
> <condition>
>    <script>
>      <code>
>         declare default namespace 
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>         basic.getAttributeValue(account, 
> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info') 
> = replicated
>      </code>
>   </script>
> </condition>
>
>
> JASON
>
>
> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly <mederly at evolveum.com 
> <mailto:mederly at evolveum.com>> wrote:
>
>     Hello Jason,
>
>     although I don't understand what you would like to achieve, a
>     quick answer though:
>
>     If you would apply a condition to a mapping (incoming or outgoing,
>     it does not matter), you can use <condition> subelement directly
>     under <incoming> or <outgoing> one.
>     However, take this only as a quick hint. I haven't done that, nor
>     I'm sure it's implemented. Please try it.
>
>     Best regards,
>     Pavol
>
>
>     On 28. 11. 2014 22:46, Jason Everling wrote:
>>     So I have the roleType syncing to the AD attribute, info, the
>>     info or roleType. I want any group that contains this roleType or
>>     info attribute sync'd, any other s will not be sync'd.
>>
>>     I know how to do this in objectTemplate but how in the resource
>>     so that it only syncs those groups and not all groups.
>>
>>     Where do I put in the condition statement in the resource
>>     definition? I searched through what I could in the samples but
>>     couldn't find anything like this.
>>
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/d6464b64/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  1 11:21:17 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 01 Dec 2014 11:21:17 +0100
Subject: [midPoint] Email Notification
In-Reply-To: <CAFkZXY4774RW04RB=HYEpxsd2mWvyubcsRTAUBU49X8TxDD1RQ@mail.gmail.com>
References: <CAFkZXY5T=086B6j7GgXcSmf4Owg-MFex4j8pABQcyS8yVGKBUA@mail.gmail.com>
 <54496720.40505@evolveum.com>
 <CAFkZXY4774RW04RB=HYEpxsd2mWvyubcsRTAUBU49X8TxDD1RQ@mail.gmail.com>
Message-ID: <547C411D.8010408@evolveum.com>

FYI I have updated the General Notifier example in
https://wiki.evolveum.com/display/midPoint/Notifications page.

Be adwised that this example can be achieved also by using standard
simpleFocalObjectNotifier now.


Regards,
Ivan

On 10/23/2014 11:11 PM, Jason Everling wrote:
> Ah ok, so the GeneralNotifier is more or less what I would use then so
> I could customize the message and such, more testing and reading.
>
> I was taking a look at the code on github for those notifiers and I
> think I could go in and change some stuff if I cannot get the general
> notifier to work like I would like it.
>
> Would there happen to be any samples for the General Notifier
> anywhere, maybe complex or one's that have the body? I see the simple
> and others which I have gotten to work but I would like to customize
> the body and such so the general might be what I am looking for.
>
> I saw it on the roadmap, sorry, I though it was under 3.1 but
> currently has no timeframe
>
> https://wiki.evolveum.com/display/midPoint/Roadmap
>
> Thanks!
>
> On Thu, Oct 23, 2014 at 3:37 PM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
>     Hello Jason,
>
>     well, the notification mechanism is quite universal and flexible.
>     The amount of work required depends on what you want to achieve.
>
>     Technically:
>
>      1. there are some standard notifiers
>         (SimpleUserNotifier/SimpleFocalObjectNotifier,
>         SimpleResourceObjectNotifier, SimpleWorkflowNotifier,
>         UserPasswordNotifier, AccountPasswordNotifier) that provide
>         specific kinds of notifications related to users/orgs/roles,
>         resource objects (accounts, groups, OUs, ...), work items and
>         workflow processes; and, specially, to notify about user &
>         account passwords,
>      2. besides that, you can send any notification you like - there
>         is so called GeneralNotifier that can be scripted to include
>         anything in the message subject, body and recipient addresses.
>
>     If you want to do "something like" one of existing specific
>     notifiers does (but not exactly that), you have a couple of options:
>
>      1. If you can work with Java, you can easily take any of these
>         notifiers, copy it into your own class, and change it as you
>         wish. It is not a big problem.
>      2. If you don't want to work with Java, you can try to use
>         GeneralNotifier with custom scripts. It can be a bit of work,
>         however - depending on how sophisticated your notifications
>         should be. The hardest part (generating a description of
>         object or change attributes) was provided as MID-2045
>         <https://jira.evolveum.com/browse/MID-2045> recently; but
>         actually we haven't tested nor documented that feature yet.
>
>     BTW, where is /"Fully customizable forms" for 3.1 Release/
>     mentioned? I haven't seen that in the wiki.
>
>     Hope this helps,
>     Pavol
>
>
>
>     On 23. 10. 2014 20:52, Jason Everling wrote:
>>     Is the below statement still true? Can the notifications not be
>>     customized currently? If not, does this statement apply to
>>     notifications "Fully customizable forms" for 3.1 Release
>>
>>     "Evolveum midPoint notifications can use e-mail or SMS
>>     notifications (other transports can be implemented and added).
>>     Additionally, the notifications can be stored in a file, which is
>>     very useful during testing and deployments (this feature is
>>     similar to Sun IDM "redirect to file"). The notification
>>     component is configured in global midPoint system configuration
>>     in a more programatically way using expressions. There are
>>     currently no email templates, but the concept is open to such
>>     changes to be added in the future releases."
>>
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/11599cdd/attachment.htm>

From dharm.parakh at gmail.com  Mon Dec  1 13:39:23 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Mon, 1 Dec 2014 18:09:23 +0530
Subject: [midPoint] Custom Code to Add Inducement
Message-ID: <CAKvVWqwEA-2x7R9haN-ib22DD0pQaBGbODjowtxCP4RTVUkS7A@mail.gmail.com>

Hi

I was trying out midpoint client sample code and i want to write a code to
add a resource inducement to a role.

I tried lots of things but the inducement was not added to that role. Can
anyone point me to some sample code or give some pointers to do this.



Thanks
Dharmendra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/432f226d/attachment.htm>

From jeverling at bshp.edu  Mon Dec  1 17:12:46 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 1 Dec 2014 10:12:46 -0600
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <547C3F22.90508@evolveum.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
Message-ID: <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>

I think that would be a bit much, more than likely, I will move all groups
that would be sync'd to Midpoint into its own container in AD and move all
our other groups to another container and use the <protected> to filter
them out so they are not sync'd.

Is there a way to build a specific group type instead of just Global |
Security, maybe Domain Local or Universal or is it hard coded to Global
Security?

Thanks!
JASON

On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

>  Hi Jason,
>
> This is slightly different. The condition tells whether to apply the
> specific <objectSynchronization> block or on. The primary use of the
> condition is to sort objects of the same object class to "intents" (see
> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
> The primary meaning of this is to synchronize group object with a role
> object (or org object). But it does not synchronize account-group
> association (i.e. group membership) with a user-role assignment.
>
> With a bit of trickery it could theoretically work for your case. But I
> doubt that it will be practical. You will need one <objectSynchronization>
> block for each group that you are trying to synchronize.
>
> --
>
>                                            Radovan Semancik
>                                           Software Architect
>                                              evolveum.com
>
>
>
> On 11/29/2014 05:21 PM, Jason Everling wrote:
>
> Is what I was asking, in the wiki it says you can add a condition to the
> synchronization policy, under
> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>
>
>    - *condition* is an expression which has to evaluate to true for the
>    policy to be used. It can be used for a very fine-grain selection of
>    applicable policies.
>
>
>  I found a sample, kind of here,
> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>
>  I am just a little confused on the condition statement, I was thinking
> it would look something like,
>
>  <condition>
>    <script>
>      <code>
>         declare default namespace "
> http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>         basic.getAttributeValue(account, '
> http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info') =
> replicated
>      </code>
>   </script>
> </condition>
>
>
>  JASON
>
>
> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>>  Hello Jason,
>>
>> although I don't understand what you would like to achieve, a quick
>> answer though:
>>
>> If you would apply a condition to a mapping (incoming or outgoing, it
>> does not matter), you can use <condition> subelement directly under
>> <incoming> or <outgoing> one.
>> However, take this only as a quick hint. I haven't done that, nor I'm
>> sure it's implemented. Please try it.
>>
>> Best regards,
>> Pavol
>>
>>
>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>
>>  So I have the roleType syncing to the AD attribute, info, the info or
>> roleType. I want any group that contains this roleType or info attribute
>> sync'd, any other s will not be sync'd.
>>
>>  I know how to do this in objectTemplate but how in the resource so that
>> it only syncs those groups and not all groups.
>>
>>  Where do I put in the condition statement in the resource definition? I
>> searched through what I could in the samples but couldn't find anything
>> like this.
>>
>>  JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/3f4d98bf/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  1 17:22:15 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 01 Dec 2014 17:22:15 +0100
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
 <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
Message-ID: <547C95B7.7060700@evolveum.com>

Hi Jason,

I don't have AD right now handy, so this one is a meta-answer:

- Try to lookup some other-than-global/security groups in your AD, and
see their attributes right in AD.
- Then try to see if those attributes are managable by the connector (in
schema, CustomGroupObjectClass AFAIK).
- Then you can try to set corresponding values.

In my projects, I've only needed Security and standard groups, I didn't
set the other attribute/values, so they were pretty much filled by AD or
the connector itself.

I'm sure Pavol can give you more precise answer regarding the support of
this; and I may have some time later today or tomorrow to explore this
myself.

Regards,
Ivan

On 12/01/2014 05:12 PM, Jason Everling wrote:
> I think that would be a bit much, more than likely, I will move all
> groups that would be sync'd to Midpoint into its own container in AD
> and move all our other groups to another container and use the
> <protected> to filter them out so they are not sync'd.
>
> Is there a way to build a specific group type instead of just Global |
> Security, maybe Domain Local or Universal or is it hard coded to
> Global Security?
>
> Thanks!
> JASON
>
> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik
> <radovan.semancik at evolveum.com <mailto:radovan.semancik at evolveum.com>>
> wrote:
>
>     Hi Jason,
>
>     This is slightly different. The condition tells whether to apply
>     the specific <objectSynchronization> block or on. The primary use
>     of the condition is to sort objects of the same object class to
>     "intents" (see
>     https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>     The primary meaning of this is to synchronize group object with a
>     role object (or org object). But it does not synchronize
>     account-group association (i.e. group membership) with a user-role
>     assignment.
>
>     With a bit of trickery it could theoretically work for your case.
>     But I doubt that it will be practical. You will need one
>     <objectSynchronization> block for each group that you are trying
>     to synchronize.
>
>     -- 
>
>                                                Radovan Semancik
>                                               Software Architect
>                                                  evolveum.com <http://evolveum.com>
>
>
>
>     On 11/29/2014 05:21 PM, Jason Everling wrote:
>>     Is what I was asking, in the wiki it says you can add a condition
>>     to the synchronization policy,
>>     under https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>
>>
>>       * *condition* is an expression which has to evaluate to true
>>         for the policy to be used. It can be used for a very
>>         fine-grain selection of applicable policies.
>>
>>
>>     I found a sample, kind of
>>     here, https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>
>>     I am just a little confused on the condition statement, I was
>>     thinking it would look something like,
>>
>>     <condition>
>>        <script>
>>          <code>
>>             declare default namespace
>>     "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>             basic.getAttributeValue(account,
>>     'http://midpoint.evolveum.com/xml/ns/public/common/common-3',
>>     'info') = replicated
>>          </code>
>>       </script>
>>     </condition>
>>
>>
>>     JASON
>>
>>
>>     On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly
>>     <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>
>>         Hello Jason,
>>
>>         although I don't understand what you would like to achieve, a
>>         quick answer though:
>>
>>         If you would apply a condition to a mapping (incoming or
>>         outgoing, it does not matter), you can use <condition>
>>         subelement directly under <incoming> or <outgoing> one.
>>         However, take this only as a quick hint. I haven't done that,
>>         nor I'm sure it's implemented. Please try it.
>>
>>         Best regards,
>>         Pavol
>>
>>
>>         On 28. 11. 2014 22:46, Jason Everling wrote:
>>>         So I have the roleType syncing to the AD attribute, info,
>>>         the info or roleType. I want any group that contains this
>>>         roleType or info attribute sync'd, any other s will not be
>>>         sync'd.
>>>
>>>         I know how to do this in objectTemplate but how in the
>>>         resource so that it only syncs those groups and not all groups.
>>>
>>>         Where do I put in the condition statement in the resource
>>>         definition? I searched through what I could in the samples
>>>         but couldn't find anything like this.
>>>
>>>         JASON
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/265bde8a/attachment.htm>

From jeverling at bshp.edu  Mon Dec  1 17:58:47 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 1 Dec 2014 10:58:47 -0600
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <547C95B7.7060700@evolveum.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
 <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
 <547C95B7.7060700@evolveum.com>
Message-ID: <CAFkZXY5XoVhzQZ3bhttxRRZgkutYkyPDfk0Ym_inFr=9jZLtfQ@mail.gmail.com>

Yeah I was going to try to set the grouptType attribute which controls what
group type it is but it is a integer and not a string, if not then no big
deal, was just wondering.

JASON

On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> I don't have AD right now handy, so this one is a meta-answer:
>
> - Try to lookup some other-than-global/security groups in your AD, and see
> their attributes right in AD.
> - Then try to see if those attributes are managable by the connector (in
> schema, CustomGroupObjectClass AFAIK).
> - Then you can try to set corresponding values.
>
> In my projects, I've only needed Security and standard groups, I didn't
> set the other attribute/values, so they were pretty much filled by AD or
> the connector itself.
>
> I'm sure Pavol can give you more precise answer regarding the support of
> this; and I may have some time later today or tomorrow to explore this
> myself.
>
> Regards,
> Ivan
>
>
> On 12/01/2014 05:12 PM, Jason Everling wrote:
>
> I think that would be a bit much, more than likely, I will move all groups
> that would be sync'd to Midpoint into its own container in AD and move all
> our other groups to another container and use the <protected> to filter
> them out so they are not sync'd.
>
>  Is there a way to build a specific group type instead of just Global |
> Security, maybe Domain Local or Universal or is it hard coded to Global
> Security?
>
>  Thanks!
> JASON
>
> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik <
> radovan.semancik at evolveum.com> wrote:
>
>>  Hi Jason,
>>
>> This is slightly different. The condition tells whether to apply the
>> specific <objectSynchronization> block or on. The primary use of the
>> condition is to sort objects of the same object class to "intents" (see
>> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>> The primary meaning of this is to synchronize group object with a role
>> object (or org object). But it does not synchronize account-group
>> association (i.e. group membership) with a user-role assignment.
>>
>> With a bit of trickery it could theoretically work for your case. But I
>> doubt that it will be practical. You will need one <objectSynchronization>
>> block for each group that you are trying to synchronize.
>>
>> --
>>
>>                                            Radovan Semancik
>>                                           Software Architect
>>                                              evolveum.com
>>
>>
>>
>> On 11/29/2014 05:21 PM, Jason Everling wrote:
>>
>> Is what I was asking, in the wiki it says you can add a condition to the
>> synchronization policy, under
>> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>
>>
>>    - *condition* is an expression which has to evaluate to true for the
>>    policy to be used. It can be used for a very fine-grain selection of
>>    applicable policies.
>>
>>
>>  I found a sample, kind of here,
>> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>
>>  I am just a little confused on the condition statement, I was thinking
>> it would look something like,
>>
>>  <condition>
>>    <script>
>>      <code>
>>         declare default namespace "
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>         basic.getAttributeValue(account, '
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info') =
>> replicated
>>      </code>
>>   </script>
>> </condition>
>>
>>
>>  JASON
>>
>>
>> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>>  Hello Jason,
>>>
>>> although I don't understand what you would like to achieve, a quick
>>> answer though:
>>>
>>> If you would apply a condition to a mapping (incoming or outgoing, it
>>> does not matter), you can use <condition> subelement directly under
>>> <incoming> or <outgoing> one.
>>> However, take this only as a quick hint. I haven't done that, nor I'm
>>> sure it's implemented. Please try it.
>>>
>>> Best regards,
>>> Pavol
>>>
>>>
>>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>>
>>>  So I have the roleType syncing to the AD attribute, info, the info or
>>> roleType. I want any group that contains this roleType or info attribute
>>> sync'd, any other s will not be sync'd.
>>>
>>>  I know how to do this in objectTemplate but how in the resource so
>>> that it only syncs those groups and not all groups.
>>>
>>>  Where do I put in the condition statement in the resource definition?
>>> I searched through what I could in the samples but couldn't find anything
>>> like this.
>>>
>>>  JASON
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/88f4c113/attachment.htm>

From mederly at evolveum.com  Mon Dec  1 18:11:23 2014
From: mederly at evolveum.com (Pavol Mederly)
Date: Mon, 01 Dec 2014 18:11:23 +0100
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <CAFkZXY5XoVhzQZ3bhttxRRZgkutYkyPDfk0Ym_inFr=9jZLtfQ@mail.gmail.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
 <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
 <547C95B7.7060700@evolveum.com>
 <CAFkZXY5XoVhzQZ3bhttxRRZgkutYkyPDfk0Ym_inFr=9jZLtfQ@mail.gmail.com>
Message-ID: <547CA13B.7010503@evolveum.com>

Hello Jason,

I would suggest looking at 
http://msdn.microsoft.com/en-us/library/cc223142.aspx.

Then e.g. Security + Global group would be 0x80000002, i.e. decimally 
either 2147483650 or -2147483646, depending on whether the connector 
expects the value as unsigned int32/64 or signed int32. I have not used 
that yet; so please try them both and see what works for you.

Best regards,
Pavol

On 1. 12. 2014 17:58, Jason Everling wrote:
> Yeah I was going to try to set the grouptType attribute which controls 
> what group type it is but it is a integer and not a string, if not 
> then no big deal, was just wondering.
>
> JASON
>
> On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris <ivan.noris at evolveum.com 
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     I don't have AD right now handy, so this one is a meta-answer:
>
>     - Try to lookup some other-than-global/security groups in your AD,
>     and see their attributes right in AD.
>     - Then try to see if those attributes are managable by the
>     connector (in schema, CustomGroupObjectClass AFAIK).
>     - Then you can try to set corresponding values.
>
>     In my projects, I've only needed Security and standard groups, I
>     didn't set the other attribute/values, so they were pretty much
>     filled by AD or the connector itself.
>
>     I'm sure Pavol can give you more precise answer regarding the
>     support of this; and I may have some time later today or tomorrow
>     to explore this myself.
>
>     Regards,
>     Ivan
>
>
>     On 12/01/2014 05:12 PM, Jason Everling wrote:
>>     I think that would be a bit much, more than likely, I will move
>>     all groups that would be sync'd to Midpoint into its own
>>     container in AD and move all our other groups to another
>>     container and use the <protected> to filter them out so they are
>>     not sync'd.
>>
>>     Is there a way to build a specific group type instead of just
>>     Global | Security, maybe Domain Local or Universal or is it hard
>>     coded to Global Security?
>>
>>     Thanks!
>>     JASON
>>
>>     On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik
>>     <radovan.semancik at evolveum.com
>>     <mailto:radovan.semancik at evolveum.com>> wrote:
>>
>>         Hi Jason,
>>
>>         This is slightly different. The condition tells whether to
>>         apply the specific <objectSynchronization> block or on. The
>>         primary use of the condition is to sort objects of the same
>>         object class to "intents" (see
>>         https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>>         The primary meaning of this is to synchronize group object
>>         with a role object (or org object). But it does not
>>         synchronize account-group association (i.e. group membership)
>>         with a user-role assignment.
>>
>>         With a bit of trickery it could theoretically work for your
>>         case. But I doubt that it will be practical. You will need
>>         one <objectSynchronization> block for each group that you are
>>         trying to synchronize.
>>
>>         -- 
>>
>>                                                     Radovan Semancik
>>                                                    Software Architect
>>                                                       evolveum.com  <http://evolveum.com>
>>
>>
>>
>>         On 11/29/2014 05:21 PM, Jason Everling wrote:
>>>         Is what I was asking, in the wiki it says you can add a
>>>         condition to the synchronization policy, under
>>>         https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>>
>>>
>>>           * *condition* is an expression which has to evaluate to
>>>             true for the policy to be used. It can be used for a
>>>             very fine-grain selection of applicable policies.
>>>
>>>
>>>         I found a sample, kind of here,
>>>         https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>>
>>>         I am just a little confused on the condition statement, I
>>>         was thinking it would look something like,
>>>
>>>         <condition>
>>>            <script>
>>>              <code>
>>>                 declare default namespace
>>>         "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>>         basic.getAttributeValue(account,
>>>         'http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info')
>>>         = replicated
>>>              </code>
>>>           </script>
>>>         </condition>
>>>
>>>
>>>         JASON
>>>
>>>
>>>         On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly
>>>         <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>
>>>             Hello Jason,
>>>
>>>             although I don't understand what you would like to
>>>             achieve, a quick answer though:
>>>
>>>             If you would apply a condition to a mapping (incoming or
>>>             outgoing, it does not matter), you can use <condition>
>>>             subelement directly under <incoming> or <outgoing> one.
>>>             However, take this only as a quick hint. I haven't done
>>>             that, nor I'm sure it's implemented. Please try it.
>>>
>>>             Best regards,
>>>             Pavol
>>>
>>>
>>>             On 28. 11. 2014 22:46, Jason Everling wrote:
>>>>             So I have the roleType syncing to the AD attribute,
>>>>             info, the info or roleType. I want any group that
>>>>             contains this roleType or info attribute sync'd, any
>>>>             other s will not be sync'd.
>>>>
>>>>             I know how to do this in objectTemplate but how in the
>>>>             resource so that it only syncs those groups and not all
>>>>             groups.
>>>>
>>>>             Where do I put in the condition statement in the
>>>>             resource definition? I searched through what I could in
>>>>             the samples but couldn't find anything like this.
>>>>
>>>>             JASON
>>>>
>>>>
>>>>
>>>>             CONFIDENTIALITY NOTICE:
>>>>             This e-mail together with any attachments is
>>>>             proprietary and confidential; intended for only the
>>>>             recipient(s) named above and may contain information
>>>>             that is privileged. You should not retain, copy or use
>>>>             this e-mail or any attachments for any purpose, or
>>>>             disclose all or any part of the contents to any person.
>>>>             Any views or opinions expressed in this e-mail are
>>>>             those of the author and do not represent those of the
>>>>             Baptist School of Health Professions. If you have
>>>>             received this e-mail in error, or are not the named
>>>>             recipient(s), you are hereby notified that any review,
>>>>             dissemination, distribution or copying of this
>>>>             communication is prohibited by the sender and to do so
>>>>             might constitute a violation of the Electronic
>>>>             Communications Privacy Act, 18 U.S.C. section
>>>>             2510-2521. Please immediately notify the sender and
>>>>             delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>>             _______________________________________________
>>>>             midPoint mailing list
>>>>             midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>        Ing. Ivan Noris
>        Senior Identity Management Engineer
>        evolveum.com  <http://evolveum.com>      evolveum.com/blog/  <http://evolveum.com/blog/>
>        _____________________________________________
>        "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/bdf973f0/attachment.htm>

From jeverling at bshp.edu  Mon Dec  1 20:06:21 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 1 Dec 2014 13:06:21 -0600
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <547CA13B.7010503@evolveum.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
 <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
 <547C95B7.7060700@evolveum.com>
 <CAFkZXY5XoVhzQZ3bhttxRRZgkutYkyPDfk0Ym_inFr=9jZLtfQ@mail.gmail.com>
 <547CA13B.7010503@evolveum.com>
Message-ID: <CAFkZXY7vONevuxtUMsPUJDmQLN-WmE-za9eeVW93MuEeaPUSVw@mail.gmail.com>

Awesome, it works just by using either of these values in the roleType
field, 2, 4, 8, -2147483646, -2147483644, or -2147483640

                <attribute>
                    <ref>ri:groupType</ref>
                    <outbound>
                        <strength>strong</strength>
                        <source>
                            <path>roleType</path>
                        </source>
                    </outbound>
                    <inbound>
                        <strength>strong</strength>
                        <target>
                            <path>$focus/roleType</path>
                        </target>
                    </inbound>
                </attribute>

So now I am going to do some mappings and auto input those fields when
creating a role based on conditions!

This is great that it works!

JASON

On Mon, Dec 1, 2014 at 11:11 AM, Pavol Mederly <mederly at evolveum.com> wrote:

>  Hello Jason,
>
> I would suggest looking at
> http://msdn.microsoft.com/en-us/library/cc223142.aspx.
>
> Then e.g. Security + Global group would be 0x80000002, i.e. decimally
> either 2147483650 or -2147483646, depending on whether the connector
> expects the value as unsigned int32/64 or signed int32. I have not used
> that yet; so please try them both and see what works for you.
>
> Best regards,
> Pavol
>
>
> On 1. 12. 2014 17:58, Jason Everling wrote:
>
> Yeah I was going to try to set the grouptType attribute which controls
> what group type it is but it is a integer and not a string, if not then no
> big deal, was just wondering.
>
>  JASON
>
> On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> I don't have AD right now handy, so this one is a meta-answer:
>>
>> - Try to lookup some other-than-global/security groups in your AD, and
>> see their attributes right in AD.
>> - Then try to see if those attributes are managable by the connector (in
>> schema, CustomGroupObjectClass AFAIK).
>> - Then you can try to set corresponding values.
>>
>> In my projects, I've only needed Security and standard groups, I didn't
>> set the other attribute/values, so they were pretty much filled by AD or
>> the connector itself.
>>
>> I'm sure Pavol can give you more precise answer regarding the support of
>> this; and I may have some time later today or tomorrow to explore this
>> myself.
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/01/2014 05:12 PM, Jason Everling wrote:
>>
>> I think that would be a bit much, more than likely, I will move all
>> groups that would be sync'd to Midpoint into its own container in AD and
>> move all our other groups to another container and use the <protected> to
>> filter them out so they are not sync'd.
>>
>>  Is there a way to build a specific group type instead of just Global |
>> Security, maybe Domain Local or Universal or is it hard coded to Global
>> Security?
>>
>>  Thanks!
>> JASON
>>
>> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik <
>> radovan.semancik at evolveum.com> wrote:
>>
>>>  Hi Jason,
>>>
>>> This is slightly different. The condition tells whether to apply the
>>> specific <objectSynchronization> block or on. The primary use of the
>>> condition is to sort objects of the same object class to "intents" (see
>>> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>>> The primary meaning of this is to synchronize group object with a role
>>> object (or org object). But it does not synchronize account-group
>>> association (i.e. group membership) with a user-role assignment.
>>>
>>> With a bit of trickery it could theoretically work for your case. But I
>>> doubt that it will be practical. You will need one <objectSynchronization>
>>> block for each group that you are trying to synchronize.
>>>
>>> --
>>>
>>>                                            Radovan Semancik
>>>                                           Software Architect
>>>                                              evolveum.com
>>>
>>>
>>>
>>> On 11/29/2014 05:21 PM, Jason Everling wrote:
>>>
>>> Is what I was asking, in the wiki it says you can add a condition to the
>>> synchronization policy, under
>>> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>>
>>>
>>>    - *condition* is an expression which has to evaluate to true for the
>>>    policy to be used. It can be used for a very fine-grain selection of
>>>    applicable policies.
>>>
>>>
>>>  I found a sample, kind of here,
>>> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>>
>>>  I am just a little confused on the condition statement, I was thinking
>>> it would look something like,
>>>
>>>  <condition>
>>>    <script>
>>>      <code>
>>>         declare default namespace "
>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>>         basic.getAttributeValue(account, '
>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info') =
>>> replicated
>>>      </code>
>>>   </script>
>>> </condition>
>>>
>>>
>>>  JASON
>>>
>>>
>>> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly <mederly at evolveum.com>
>>> wrote:
>>>
>>>>  Hello Jason,
>>>>
>>>> although I don't understand what you would like to achieve, a quick
>>>> answer though:
>>>>
>>>> If you would apply a condition to a mapping (incoming or outgoing, it
>>>> does not matter), you can use <condition> subelement directly under
>>>> <incoming> or <outgoing> one.
>>>> However, take this only as a quick hint. I haven't done that, nor I'm
>>>> sure it's implemented. Please try it.
>>>>
>>>> Best regards,
>>>> Pavol
>>>>
>>>>
>>>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>>>
>>>>  So I have the roleType syncing to the AD attribute, info, the info or
>>>> roleType. I want any group that contains this roleType or info attribute
>>>> sync'd, any other s will not be sync'd.
>>>>
>>>>  I know how to do this in objectTemplate but how in the resource so
>>>> that it only syncs those groups and not all groups.
>>>>
>>>>  Where do I put in the condition statement in the resource definition?
>>>> I searched through what I could in the samples but couldn't find anything
>>>> like this.
>>>>
>>>>  JASON
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>   --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/89b3cc4d/attachment.htm>

From jeverling at bshp.edu  Mon Dec  1 20:28:20 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 1 Dec 2014 13:28:20 -0600
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <CAFkZXY7vONevuxtUMsPUJDmQLN-WmE-za9eeVW93MuEeaPUSVw@mail.gmail.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
 <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
 <547C95B7.7060700@evolveum.com>
 <CAFkZXY5XoVhzQZ3bhttxRRZgkutYkyPDfk0Ym_inFr=9jZLtfQ@mail.gmail.com>
 <547CA13B.7010503@evolveum.com>
 <CAFkZXY7vONevuxtUMsPUJDmQLN-WmE-za9eeVW93MuEeaPUSVw@mail.gmail.com>
Message-ID: <CAFkZXY7juAGyXwtwHTBmc_5LDb3+WDwsaRbR7p_jWhTniDov_g@mail.gmail.com>

Even better, tested and working, create wither a local security, global
security, or global distribution.

                <attribute>
                    <ref>ri:groupType</ref>
                   <outbound>
                        <strength>strong</strength>
                        <source>
                            <path>roleType</path>
                        </source>
                        <expression>
                            <script>
                                <code>
tmpType = '-2147483646'
switch (roleType) {
case 'group':
tmpType = '-2147483646'
break
case 'local':
tmpType = '-2147483644'
break
case 'distribution':
tmpType = '8'
break
default:
tmpType = '-2147483646'
}
return tmpType
</code>
                            </script>
                        </expression>
                    </outbound>
                </attribute>

Yay!

On Mon, Dec 1, 2014 at 1:06 PM, Jason Everling <jeverling at bshp.edu> wrote:

> Awesome, it works just by using either of these values in the roleType
> field, 2, 4, 8, -2147483646, -2147483644, or -2147483640
>
>                 <attribute>
>                     <ref>ri:groupType</ref>
>                     <outbound>
>                         <strength>strong</strength>
>                         <source>
>                             <path>roleType</path>
>                         </source>
>                     </outbound>
>                     <inbound>
>                         <strength>strong</strength>
>                         <target>
>                             <path>$focus/roleType</path>
>                         </target>
>                     </inbound>
>                 </attribute>
>
> So now I am going to do some mappings and auto input those fields when
> creating a role based on conditions!
>
> This is great that it works!
>
> JASON
>
> On Mon, Dec 1, 2014 at 11:11 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>>  Hello Jason,
>>
>> I would suggest looking at
>> http://msdn.microsoft.com/en-us/library/cc223142.aspx.
>>
>> Then e.g. Security + Global group would be 0x80000002, i.e. decimally
>> either 2147483650 or -2147483646, depending on whether the connector
>> expects the value as unsigned int32/64 or signed int32. I have not used
>> that yet; so please try them both and see what works for you.
>>
>> Best regards,
>> Pavol
>>
>>
>> On 1. 12. 2014 17:58, Jason Everling wrote:
>>
>> Yeah I was going to try to set the grouptType attribute which controls
>> what group type it is but it is a integer and not a string, if not then no
>> big deal, was just wondering.
>>
>>  JASON
>>
>> On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> I don't have AD right now handy, so this one is a meta-answer:
>>>
>>> - Try to lookup some other-than-global/security groups in your AD, and
>>> see their attributes right in AD.
>>> - Then try to see if those attributes are managable by the connector (in
>>> schema, CustomGroupObjectClass AFAIK).
>>> - Then you can try to set corresponding values.
>>>
>>> In my projects, I've only needed Security and standard groups, I didn't
>>> set the other attribute/values, so they were pretty much filled by AD or
>>> the connector itself.
>>>
>>> I'm sure Pavol can give you more precise answer regarding the support of
>>> this; and I may have some time later today or tomorrow to explore this
>>> myself.
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 12/01/2014 05:12 PM, Jason Everling wrote:
>>>
>>> I think that would be a bit much, more than likely, I will move all
>>> groups that would be sync'd to Midpoint into its own container in AD and
>>> move all our other groups to another container and use the <protected> to
>>> filter them out so they are not sync'd.
>>>
>>>  Is there a way to build a specific group type instead of just Global |
>>> Security, maybe Domain Local or Universal or is it hard coded to Global
>>> Security?
>>>
>>>  Thanks!
>>> JASON
>>>
>>> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik <
>>> radovan.semancik at evolveum.com> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> This is slightly different. The condition tells whether to apply the
>>>> specific <objectSynchronization> block or on. The primary use of the
>>>> condition is to sort objects of the same object class to "intents" (see
>>>> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>>>> The primary meaning of this is to synchronize group object with a role
>>>> object (or org object). But it does not synchronize account-group
>>>> association (i.e. group membership) with a user-role assignment.
>>>>
>>>> With a bit of trickery it could theoretically work for your case. But I
>>>> doubt that it will be practical. You will need one <objectSynchronization>
>>>> block for each group that you are trying to synchronize.
>>>>
>>>> --
>>>>
>>>>                                            Radovan Semancik
>>>>                                           Software Architect
>>>>                                              evolveum.com
>>>>
>>>>
>>>>
>>>> On 11/29/2014 05:21 PM, Jason Everling wrote:
>>>>
>>>> Is what I was asking, in the wiki it says you can add a condition to
>>>> the synchronization policy, under
>>>> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>>>
>>>>
>>>>    - *condition* is an expression which has to evaluate to true for
>>>>    the policy to be used. It can be used for a very fine-grain selection of
>>>>    applicable policies.
>>>>
>>>>
>>>>  I found a sample, kind of here,
>>>> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>>>
>>>>  I am just a little confused on the condition statement, I was
>>>> thinking it would look something like,
>>>>
>>>>  <condition>
>>>>    <script>
>>>>      <code>
>>>>         declare default namespace "
>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>>>         basic.getAttributeValue(account, '
>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info') =
>>>> replicated
>>>>      </code>
>>>>   </script>
>>>> </condition>
>>>>
>>>>
>>>>  JASON
>>>>
>>>>
>>>> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly <mederly at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hello Jason,
>>>>>
>>>>> although I don't understand what you would like to achieve, a quick
>>>>> answer though:
>>>>>
>>>>> If you would apply a condition to a mapping (incoming or outgoing, it
>>>>> does not matter), you can use <condition> subelement directly under
>>>>> <incoming> or <outgoing> one.
>>>>> However, take this only as a quick hint. I haven't done that, nor I'm
>>>>> sure it's implemented. Please try it.
>>>>>
>>>>> Best regards,
>>>>> Pavol
>>>>>
>>>>>
>>>>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>>>>
>>>>>  So I have the roleType syncing to the AD attribute, info, the info
>>>>> or roleType. I want any group that contains this roleType or info attribute
>>>>> sync'd, any other s will not be sync'd.
>>>>>
>>>>>  I know how to do this in objectTemplate but how in the resource so
>>>>> that it only syncs those groups and not all groups.
>>>>>
>>>>>  Where do I put in the condition statement in the resource
>>>>> definition? I searched through what I could in the samples but couldn't
>>>>> find anything like this.
>>>>>
>>>>>  JASON
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>   --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/d07d9dea/attachment.htm>

From jeverling at bshp.edu  Mon Dec  1 20:34:17 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 1 Dec 2014 13:34:17 -0600
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <CAFkZXY7juAGyXwtwHTBmc_5LDb3+WDwsaRbR7p_jWhTniDov_g@mail.gmail.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
 <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
 <547C95B7.7060700@evolveum.com>
 <CAFkZXY5XoVhzQZ3bhttxRRZgkutYkyPDfk0Ym_inFr=9jZLtfQ@mail.gmail.com>
 <547CA13B.7010503@evolveum.com>
 <CAFkZXY7vONevuxtUMsPUJDmQLN-WmE-za9eeVW93MuEeaPUSVw@mail.gmail.com>
 <CAFkZXY7juAGyXwtwHTBmc_5LDb3+WDwsaRbR7p_jWhTniDov_g@mail.gmail.com>
Message-ID: <CAFkZXY5f1FfV0X-55FFQewb7jH0Ku+tvDRDsFew8E6vsMEz8Vw@mail.gmail.com>

If anyone else is interested, I also mapped for the group objectType , the
email address for a distribution group to the identifier field,

<attribute>
                    <ref>ri:mail</ref>
                    <outbound>
                        <source>
                            <path>identifier</path>
                        </source>
                    </outbound>
                    <inbound>
                        <target>
                            <path>$focus/identifier</path>
                        </target>
                    </inbound>
                </attribute>

On Mon, Dec 1, 2014 at 1:28 PM, Jason Everling <jeverling at bshp.edu> wrote:

> Even better, tested and working, create wither a local security, global
> security, or global distribution.
>
>                 <attribute>
>                     <ref>ri:groupType</ref>
>                    <outbound>
>                         <strength>strong</strength>
>                         <source>
>                             <path>roleType</path>
>                         </source>
>                         <expression>
>                             <script>
>                                 <code>
> tmpType = '-2147483646'
> switch (roleType) {
> case 'group':
> tmpType = '-2147483646'
> break
> case 'local':
> tmpType = '-2147483644'
> break
> case 'distribution':
> tmpType = '8'
> break
> default:
> tmpType = '-2147483646'
> }
> return tmpType
> </code>
>                             </script>
>                         </expression>
>                     </outbound>
>                 </attribute>
>
> Yay!
>
> On Mon, Dec 1, 2014 at 1:06 PM, Jason Everling <jeverling at bshp.edu> wrote:
>
>> Awesome, it works just by using either of these values in the roleType
>> field, 2, 4, 8, -2147483646, -2147483644, or -2147483640
>>
>>                 <attribute>
>>                     <ref>ri:groupType</ref>
>>                     <outbound>
>>                         <strength>strong</strength>
>>                         <source>
>>                             <path>roleType</path>
>>                         </source>
>>                     </outbound>
>>                     <inbound>
>>                         <strength>strong</strength>
>>                         <target>
>>                             <path>$focus/roleType</path>
>>                         </target>
>>                     </inbound>
>>                 </attribute>
>>
>> So now I am going to do some mappings and auto input those fields when
>> creating a role based on conditions!
>>
>> This is great that it works!
>>
>> JASON
>>
>> On Mon, Dec 1, 2014 at 11:11 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>>  Hello Jason,
>>>
>>> I would suggest looking at
>>> http://msdn.microsoft.com/en-us/library/cc223142.aspx.
>>>
>>> Then e.g. Security + Global group would be 0x80000002, i.e. decimally
>>> either 2147483650 or -2147483646, depending on whether the connector
>>> expects the value as unsigned int32/64 or signed int32. I have not used
>>> that yet; so please try them both and see what works for you.
>>>
>>> Best regards,
>>> Pavol
>>>
>>>
>>> On 1. 12. 2014 17:58, Jason Everling wrote:
>>>
>>> Yeah I was going to try to set the grouptType attribute which controls
>>> what group type it is but it is a integer and not a string, if not then no
>>> big deal, was just wondering.
>>>
>>>  JASON
>>>
>>> On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> I don't have AD right now handy, so this one is a meta-answer:
>>>>
>>>> - Try to lookup some other-than-global/security groups in your AD, and
>>>> see their attributes right in AD.
>>>> - Then try to see if those attributes are managable by the connector
>>>> (in schema, CustomGroupObjectClass AFAIK).
>>>> - Then you can try to set corresponding values.
>>>>
>>>> In my projects, I've only needed Security and standard groups, I didn't
>>>> set the other attribute/values, so they were pretty much filled by AD or
>>>> the connector itself.
>>>>
>>>> I'm sure Pavol can give you more precise answer regarding the support
>>>> of this; and I may have some time later today or tomorrow to explore this
>>>> myself.
>>>>
>>>> Regards,
>>>> Ivan
>>>>
>>>>
>>>> On 12/01/2014 05:12 PM, Jason Everling wrote:
>>>>
>>>> I think that would be a bit much, more than likely, I will move all
>>>> groups that would be sync'd to Midpoint into its own container in AD and
>>>> move all our other groups to another container and use the <protected> to
>>>> filter them out so they are not sync'd.
>>>>
>>>>  Is there a way to build a specific group type instead of just Global
>>>> | Security, maybe Domain Local or Universal or is it hard coded to Global
>>>> Security?
>>>>
>>>>  Thanks!
>>>> JASON
>>>>
>>>> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik <
>>>> radovan.semancik at evolveum.com> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> This is slightly different. The condition tells whether to apply the
>>>>> specific <objectSynchronization> block or on. The primary use of the
>>>>> condition is to sort objects of the same object class to "intents" (see
>>>>> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>>>>> The primary meaning of this is to synchronize group object with a role
>>>>> object (or org object). But it does not synchronize account-group
>>>>> association (i.e. group membership) with a user-role assignment.
>>>>>
>>>>> With a bit of trickery it could theoretically work for your case. But
>>>>> I doubt that it will be practical. You will need one
>>>>> <objectSynchronization> block for each group that you are trying to
>>>>> synchronize.
>>>>>
>>>>> --
>>>>>
>>>>>                                            Radovan Semancik
>>>>>                                           Software Architect
>>>>>                                              evolveum.com
>>>>>
>>>>>
>>>>>
>>>>> On 11/29/2014 05:21 PM, Jason Everling wrote:
>>>>>
>>>>> Is what I was asking, in the wiki it says you can add a condition to
>>>>> the synchronization policy, under
>>>>> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>>>>
>>>>>
>>>>>    - *condition* is an expression which has to evaluate to true for
>>>>>    the policy to be used. It can be used for a very fine-grain selection of
>>>>>    applicable policies.
>>>>>
>>>>>
>>>>>  I found a sample, kind of here,
>>>>> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>>>>
>>>>>  I am just a little confused on the condition statement, I was
>>>>> thinking it would look something like,
>>>>>
>>>>>  <condition>
>>>>>    <script>
>>>>>      <code>
>>>>>         declare default namespace "
>>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>>>>         basic.getAttributeValue(account, '
>>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info')
>>>>> = replicated
>>>>>      </code>
>>>>>   </script>
>>>>> </condition>
>>>>>
>>>>>
>>>>>  JASON
>>>>>
>>>>>
>>>>> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly <mederly at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>>  Hello Jason,
>>>>>>
>>>>>> although I don't understand what you would like to achieve, a quick
>>>>>> answer though:
>>>>>>
>>>>>> If you would apply a condition to a mapping (incoming or outgoing, it
>>>>>> does not matter), you can use <condition> subelement directly under
>>>>>> <incoming> or <outgoing> one.
>>>>>> However, take this only as a quick hint. I haven't done that, nor I'm
>>>>>> sure it's implemented. Please try it.
>>>>>>
>>>>>> Best regards,
>>>>>> Pavol
>>>>>>
>>>>>>
>>>>>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>>>>>
>>>>>>  So I have the roleType syncing to the AD attribute, info, the info
>>>>>> or roleType. I want any group that contains this roleType or info attribute
>>>>>> sync'd, any other s will not be sync'd.
>>>>>>
>>>>>>  I know how to do this in objectTemplate but how in the resource so
>>>>>> that it only syncs those groups and not all groups.
>>>>>>
>>>>>>  Where do I put in the condition statement in the resource
>>>>>> definition? I searched through what I could in the samples but couldn't
>>>>>> find anything like this.
>>>>>>
>>>>>>  JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>   --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/00200eff/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  1 23:28:38 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 01 Dec 2014 23:28:38 +0100
Subject: [midPoint] Syncing only specific groups
In-Reply-To: <CAFkZXY7vONevuxtUMsPUJDmQLN-WmE-za9eeVW93MuEeaPUSVw@mail.gmail.com>
References: <CAFkZXY4E3sEmV6LRcWufRYwaD_cXptybshOKK7x_G4hSrbzppw@mail.gmail.com>
 <5479880E.90401@evolveum.com>
 <CAFkZXY4j0Y5kKBCcCqVN6qcK9NpnQxR_JWAsWW9A+ghvkhEqcw@mail.gmail.com>
 <547C3F22.90508@evolveum.com>
 <CAFkZXY5xjrOM9McDPLAORDMTqdBbrDxbWTwcy1VfDbg9QP8X7w@mail.gmail.com>
 <547C95B7.7060700@evolveum.com>
 <CAFkZXY5XoVhzQZ3bhttxRRZgkutYkyPDfk0Ym_inFr=9jZLtfQ@mail.gmail.com>
 <547CA13B.7010503@evolveum.com>
 <CAFkZXY7vONevuxtUMsPUJDmQLN-WmE-za9eeVW93MuEeaPUSVw@mail.gmail.com>
Message-ID: <547CEB96.4090707@evolveum.com>

Glad to hear that it worked :-)

Regards,
Ivan

On 12/01/2014 08:06 PM, Jason Everling wrote:
> Awesome, it works just by using either of these values in the roleType
> field, 2, 4, 8, -2147483646, -2147483644, or -2147483640
>
>                 <attribute>
>                     <ref>ri:groupType</ref>
>                     <outbound>
>                         <strength>strong</strength>
>                         <source>
>                             <path>roleType</path>
>                         </source>
>                     </outbound>
>                     <inbound>
>                         <strength>strong</strength>
>                         <target>
>                             <path>$focus/roleType</path>
>                         </target>
>                     </inbound>
>                 </attribute>
>
> So now I am going to do some mappings and auto input those fields when
> creating a role based on conditions!
>
> This is great that it works!
>
> JASON
>
> On Mon, Dec 1, 2014 at 11:11 AM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
>     Hello Jason,
>
>     I would suggest looking at
>     http://msdn.microsoft.com/en-us/library/cc223142.aspx.
>
>     Then e.g. Security + Global group would be 0x80000002, i.e.
>     decimally either 2147483650 <tel:2147483650> or -2147483646
>     <tel:2147483646>, depending on whether the connector expects the
>     value as unsigned int32/64 or signed int32. I have not used that
>     yet; so please try them both and see what works for you.
>
>     Best regards,
>     Pavol
>
>
>     On 1. 12. 2014 17:58, Jason Everling wrote:
>>     Yeah I was going to try to set the grouptType attribute which
>>     controls what group type it is but it is a integer and not a
>>     string, if not then no big deal, was just wondering.
>>
>>     JASON
>>
>>     On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Hi Jason,
>>
>>         I don't have AD right now handy, so this one is a meta-answer:
>>
>>         - Try to lookup some other-than-global/security groups in
>>         your AD, and see their attributes right in AD.
>>         - Then try to see if those attributes are managable by the
>>         connector (in schema, CustomGroupObjectClass AFAIK).
>>         - Then you can try to set corresponding values.
>>
>>         In my projects, I've only needed Security and standard
>>         groups, I didn't set the other attribute/values, so they were
>>         pretty much filled by AD or the connector itself.
>>
>>         I'm sure Pavol can give you more precise answer regarding the
>>         support of this; and I may have some time later today or
>>         tomorrow to explore this myself.
>>
>>         Regards,
>>         Ivan
>>
>>
>>         On 12/01/2014 05:12 PM, Jason Everling wrote:
>>>         I think that would be a bit much, more than likely, I will
>>>         move all groups that would be sync'd to Midpoint into its
>>>         own container in AD and move all our other groups to another
>>>         container and use the <protected> to filter them out so they
>>>         are not sync'd.
>>>
>>>         Is there a way to build a specific group type instead of
>>>         just Global | Security, maybe Domain Local or Universal or
>>>         is it hard coded to Global Security?
>>>
>>>         Thanks!
>>>         JASON
>>>
>>>         On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik
>>>         <radovan.semancik at evolveum.com
>>>         <mailto:radovan.semancik at evolveum.com>> wrote:
>>>
>>>             Hi Jason,
>>>
>>>             This is slightly different. The condition tells whether
>>>             to apply the specific <objectSynchronization> block or
>>>             on. The primary use of the condition is to sort objects
>>>             of the same object class to "intents" (see
>>>             https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>>>             The primary meaning of this is to synchronize group
>>>             object with a role object (or org object). But it does
>>>             not synchronize account-group association (i.e. group
>>>             membership) with a user-role assignment.
>>>
>>>             With a bit of trickery it could theoretically work for
>>>             your case. But I doubt that it will be practical. You
>>>             will need one <objectSynchronization> block for each
>>>             group that you are trying to synchronize.
>>>
>>>             -- 
>>>
>>>                                                        Radovan Semancik
>>>                                                       Software Architect
>>>                                                          evolveum.com <http://evolveum.com>
>>>
>>>
>>>
>>>             On 11/29/2014 05:21 PM, Jason Everling wrote:
>>>>             Is what I was asking, in the wiki it says you can add a
>>>>             condition to the synchronization policy,
>>>>             under https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>>>
>>>>
>>>>               * *condition* is an expression which has to evaluate
>>>>                 to true for the policy to be used. It can be used
>>>>                 for a very fine-grain selection of applicable policies.
>>>>
>>>>
>>>>             I found a sample, kind of
>>>>             here, https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>>>
>>>>             I am just a little confused on the condition statement,
>>>>             I was thinking it would look something like,
>>>>
>>>>             <condition>
>>>>                <script>
>>>>                  <code>
>>>>                     declare default namespace
>>>>             "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>>>                     basic.getAttributeValue(account,
>>>>             'http://midpoint.evolveum.com/xml/ns/public/common/common-3',
>>>>             'info') = replicated
>>>>                  </code>
>>>>               </script>
>>>>             </condition>
>>>>
>>>>
>>>>             JASON
>>>>
>>>>
>>>>             On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly
>>>>             <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>>
>>>>                 Hello Jason,
>>>>
>>>>                 although I don't understand what you would like to
>>>>                 achieve, a quick answer though:
>>>>
>>>>                 If you would apply a condition to a mapping
>>>>                 (incoming or outgoing, it does not matter), you can
>>>>                 use <condition> subelement directly under
>>>>                 <incoming> or <outgoing> one.
>>>>                 However, take this only as a quick hint. I haven't
>>>>                 done that, nor I'm sure it's implemented. Please
>>>>                 try it.
>>>>
>>>>                 Best regards,
>>>>                 Pavol
>>>>
>>>>
>>>>                 On 28. 11. 2014 22:46, Jason Everling wrote:
>>>>>                 So I have the roleType syncing to the AD
>>>>>                 attribute, info, the info or roleType. I want any
>>>>>                 group that contains this roleType or info
>>>>>                 attribute sync'd, any other s will not be sync'd.
>>>>>
>>>>>                 I know how to do this in objectTemplate but how in
>>>>>                 the resource so that it only syncs those groups
>>>>>                 and not all groups.
>>>>>
>>>>>                 Where do I put in the condition statement in the
>>>>>                 resource definition? I searched through what I
>>>>>                 could in the samples but couldn't find anything
>>>>>                 like this.
>>>>>
>>>>>                 JASON
>>>>>
>>>>>
>>>>>
>>>>>                 CONFIDENTIALITY NOTICE:
>>>>>                 This e-mail together with any attachments is
>>>>>                 proprietary and confidential; intended for only
>>>>>                 the recipient(s) named above and may contain
>>>>>                 information that is privileged. You should not
>>>>>                 retain, copy or use this e-mail or any attachments
>>>>>                 for any purpose, or disclose all or any part of
>>>>>                 the contents to any person. Any views or opinions
>>>>>                 expressed in this e-mail are those of the author
>>>>>                 and do not represent those of the Baptist School
>>>>>                 of Health Professions. If you have received this
>>>>>                 e-mail in error, or are not the named
>>>>>                 recipient(s), you are hereby notified that any
>>>>>                 review, dissemination, distribution or copying of
>>>>>                 this communication is prohibited by the sender and
>>>>>                 to do so might constitute a violation of the
>>>>>                 Electronic Communications Privacy Act, 18 U.S.C.
>>>>>                 section 2510-2521. Please immediately notify the
>>>>>                 sender and delete this e-mail and any attachments
>>>>>                 from your computer.
>>>>>
>>>>>
>>>>>                 _______________________________________________
>>>>>                 midPoint mailing list
>>>>>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com
>>>>                 <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             CONFIDENTIALITY NOTICE:
>>>>             This e-mail together with any attachments is
>>>>             proprietary and confidential; intended for only the
>>>>             recipient(s) named above and may contain information
>>>>             that is privileged. You should not retain, copy or use
>>>>             this e-mail or any attachments for any purpose, or
>>>>             disclose all or any part of the contents to any person.
>>>>             Any views or opinions expressed in this e-mail are
>>>>             those of the author and do not represent those of the
>>>>             Baptist School of Health Professions. If you have
>>>>             received this e-mail in error, or are not the named
>>>>             recipient(s), you are hereby notified that any review,
>>>>             dissemination, distribution or copying of this
>>>>             communication is prohibited by the sender and to do so
>>>>             might constitute a violation of the Electronic
>>>>             Communications Privacy Act, 18 U.S.C. section
>>>>             2510-2521. Please immediately notify the sender and
>>>>             delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>>             _______________________________________________
>>>>             midPoint mailing list
>>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/73978d7a/attachment.htm>

From jeverling at bshp.edu  Tue Dec  2 00:36:53 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 1 Dec 2014 17:36:53 -0600
Subject: [midPoint] Org Tree Bug, Users not listed
Message-ID: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>

Since I finished up the roles/groups testing I moved onto Orgs, I got my
orgs mapped and working correctly so it is not a configuration question.

When a user is manually added in the midpoint GUI and the Org gets assigned
manually the users shows up in the GUI in the Org Tree,

If a user is created automatically using a resource such as DBTable or CSV
and the Org is assigned from a objectTemplate they do not show up in the
Org tree under the Org but if I open the user, sure enough the Org is
assigned.

The only thing I notice differently from a manual creation to a automatic
creation is that the manual creation adds the below to the user object, the
users that are automatically created are missing this item, if I manually
add the item to the user then they show up in the Org Tree,

The below is what is missing from the auto created/assigned users objects,

   <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>

JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/ba6b4757/attachment.htm>

From jeverling at bshp.edu  Tue Dec  2 00:39:53 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 1 Dec 2014 17:39:53 -0600
Subject: [midPoint] Org Tree Bug, Users not listed
In-Reply-To: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
References: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
Message-ID: <CAFkZXY6oTUT_oDVXoaymqr237iH59T+PPPtZGdBCLZu3Rp=yZw@mail.gmail.com>

Here are 2 samples, you can see the parentOrgRef missing,

Manual User:

<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="480c58aa-42a0-42a0-9c08-225a9da5d904"
      version="13">
   <name>Muser10</name>
   <extension xmlns:gen726="http://whatever.com/my">
      <gen726:otherMailbox>muser10 at local.org</gen726:otherMailbox>
      <gen726:eduPersonAffiliation>staff</gen726:eduPersonAffiliation>
   </extension>
   <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>
   <metadata>
      <createTimestamp>2014-10-18T16:03:15.399-05:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002"
type="UserType"><!-- sysadmin --></creatorRef>
      <createChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
</createChannel>
      <modifyTimestamp>2014-11-28T11:46:04.766-06:00</modifyTimestamp>
      <modifierRef xmlns:tns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                   oid="00000000-0000-0000-0000-000000000002"
                   type="tns:UserType"><!-- sysadmin --></modifierRef>
      <modifyChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
</modifyChannel>
   </metadata>
   <linkRef oid="a352404e-59e8-4105-b707-ed7b3f4ca680"
type="ShadowType"><!-- CN=Midpoint User10,OU=SHP Staff,DC=TEST,DC=LOCAL
--></linkRef>
   <linkRef oid="bd138cf0-4acf-467a-b9eb-213e203eaedd"
type="ShadowType"><!-- Muser10 --></linkRef>
   <assignment id="1">
      <targetRef xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="44545ccc-4da3-483a-8189-d85902072998"
                 type="c:RoleType"><!-- SHP Staff --></targetRef>
   </assignment>
   <assignment id="2">
      <targetRef xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="9c3facf5-fd01-46f5-9c28-8488403826be"
                 type="c:OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL
--></targetRef>
   </assignment>

Automatic User:

<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="a60f09c3-1e13-4d71-b7a1-933e6f2ee281"
      version="14">
   <name>weblevins</name>
   <extension xmlns:gen726="http://whatever.com/my">
      <gen726:otherMailbox>wblevins at yahoo.com</gen726:otherMailbox>
      <gen726:eduPersonAffiliation>student</gen726:eduPersonAffiliation>
   </extension>
   <metadata>
      <createTimestamp>2014-11-04T12:38:30.242-06:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002"
type="UserType"><!-- sysadmin --></creatorRef>
      <createChannel>
http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
</createChannel>
      <modifyTimestamp>2014-11-27T21:04:35.858-06:00</modifyTimestamp>
      <modifierRef xmlns:tns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                   oid="00000000-0000-0000-0000-000000000002"
                   type="tns:UserType"><!-- sysadmin --></modifierRef>
      <modifyChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
</modifyChannel>
   </metadata>
   <linkRef oid="5df37278-602e-456d-b025-b8efdc03b61b"
type="ShadowType"><!-- CN=Wendy Blevins,OU=AAD,OU=SHP
Students,DC=TEST,DC=LOCAL --></linkRef>
   <linkRef oid="6bd8899d-a8d6-446f-b224-465a794a4d6c"
type="ShadowType"><!-- WT7188976 --></linkRef>
   <linkRef oid="abbeb5cc-11fa-4235-a27f-d6da724f40ac"
type="ShadowType"><!-- weblevins --></linkRef>
   <assignment id="1">
      <targetRef xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="f6f68a1d-313e-4fa4-af32-96219476d4ea"
                 type="c:OrgType"><!-- OU=AAD,OU=SHP
Students,DC=TEST,DC=LOCAL --></targetRef>
   </assignment>
   <assignment id="2">
      <targetRef xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="ebdf7b91-79af-4a49-9255-f0baa51f9c2b"
                 type="c:RoleType"><!-- SHP Students --></targetRef>

On Mon, Dec 1, 2014 at 5:36 PM, Jason Everling <jeverling at bshp.edu> wrote:

> Since I finished up the roles/groups testing I moved onto Orgs, I got my
> orgs mapped and working correctly so it is not a configuration question.
>
> When a user is manually added in the midpoint GUI and the Org gets
> assigned manually the users shows up in the GUI in the Org Tree,
>
> If a user is created automatically using a resource such as DBTable or CSV
> and the Org is assigned from a objectTemplate they do not show up in the
> Org tree under the Org but if I open the user, sure enough the Org is
> assigned.
>
> The only thing I notice differently from a manual creation to a automatic
> creation is that the manual creation adds the below to the user object, the
> users that are automatically created are missing this item, if I manually
> add the item to the user then they show up in the Org Tree,
>
> The below is what is missing from the auto created/assigned users objects,
>
>    <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
> type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>
>
> JASON
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/2253621e/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec  2 08:30:02 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 02 Dec 2014 08:30:02 +0100
Subject: [midPoint] Org Tree Bug, Users not listed
In-Reply-To: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
References: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
Message-ID: <547D6A7A.5000006@evolveum.com>

Jason,

first - thank you for detailed report.
I've just tested this, but couldn't reproduce with my midPoint version.
This is what I've tried to check with you:

1. using your Sonis Web resource (CSV), slightly modified: removed
schema extension inbounds and object template reference in "unmatched"
action - but tried also with it
2. create most simple object template with only 1 mapping and set it as
global user template:
   <mapping>
      <expression>
         <assignmentTargetSearch>
            <targetType
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:OrgType</targetType>
            <oid>00000000-dc00-dc00-0005-000000000001</oid>
         </assignmentTargetSearch>
      </expression>
      <target>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">assignment</c:path>
      </target>
   </mapping>

(the oid is one my root organizations I have in midPoint)
3. tried to do LiveSync for two accounts
4. both accounts appear in OrgStruct, and of course have parentOrgRef
5. then I've switched off the global user template and referenced it
directly in "unmatched" situation
6. created another account in CSV, livesynced
7. the account also works, appears in OrgStruct

So, unless I'm doing something different, it might as well as be fixed
in the devel version I'm running: git-v3.0.1devel-680-g89fbcf7

If I'm not making some obvious mistake by oversimplifying your scenario,
would it be possible to retest this with master? I'd recommend to try it
in separate DB repository (H2 is ok) as there is a change in DB schema
after 3.0.1 as well as in the connector namespaces (so you would need to
change connector references for DB, CSV, LDAP resources for master).

Thank you.
Regards,
Ivan

On 12/02/2014 12:36 AM, Jason Everling wrote:
> Since I finished up the roles/groups testing I moved onto Orgs, I got
> my orgs mapped and working correctly so it is not a configuration
> question.
>
> When a user is manually added in the midpoint GUI and the Org gets
> assigned manually the users shows up in the GUI in the Org Tree,
>
> If a user is created automatically using a resource such as DBTable or
> CSV and the Org is assigned from a objectTemplate they do not show up
> in the Org tree under the Org but if I open the user, sure enough the
> Org is assigned.
>
> The only thing I notice differently from a manual creation to a
> automatic creation is that the manual creation adds the below to the
> user object, the users that are automatically created are missing this
> item, if I manually add the item to the user then they show up in the
> Org Tree,
>
> The below is what is missing from the auto created/assigned users objects,
>
>    <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
> type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>
>
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141202/485aa35d/attachment.htm>

From jeverling at bshp.edu  Tue Dec  2 15:25:16 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Tue, 2 Dec 2014 08:25:16 -0600
Subject: [midPoint] Org Tree Bug, Users not listed
In-Reply-To: <547D6A7A.5000006@evolveum.com>
References: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
 <547D6A7A.5000006@evolveum.com>
Message-ID: <CAFkZXY6ALSynGaO=HbTsL_QZRx_Sx5FBxM8dp8raO+krxKSSDg@mail.gmail.com>

Can you try to use my mapping, yours looks to be assigning a specific
organization,

My mapping in objectTemplate is assigning based on the "organization"
attribute in the user profile

    <mapping>
        <authoritative>true</authoritative>
        <source>
            <path>organization</path>
        </source>
        <expression>
            <assignmentTargetSearch>
                <targetType>c:OrgType</targetType>
                <filter>
                    <q:equal>
                        <q:path>name</q:path>
                        <expression>
                            <path>$organization</path>
                        </expression>
                    </q:equal>
                </filter>
            </assignmentTargetSearch>
        </expression>
        <target>
            <path>assignment</path>
        </target>
    </mapping>

Thanks!

On Tue, Dec 2, 2014 at 1:30 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> first - thank you for detailed report.
> I've just tested this, but couldn't reproduce with my midPoint version.
> This is what I've tried to check with you:
>
> 1. using your Sonis Web resource (CSV), slightly modified: removed schema
> extension inbounds and object template reference in "unmatched" action -
> but tried also with it
> 2. create most simple object template with only 1 mapping and set it as
> global user template:
>    <mapping>
>       <expression>
>          <assignmentTargetSearch>
>             <targetType xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >c:OrgType</targetType>
>             <oid>00000000-dc00-dc00-0005-000000000001</oid>
>          </assignmentTargetSearch>
>       </expression>
>       <target>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >assignment</c:path>
>       </target>
>    </mapping>
>
> (the oid is one my root organizations I have in midPoint)
> 3. tried to do LiveSync for two accounts
> 4. both accounts appear in OrgStruct, and of course have parentOrgRef
> 5. then I've switched off the global user template and referenced it
> directly in "unmatched" situation
> 6. created another account in CSV, livesynced
> 7. the account also works, appears in OrgStruct
>
> So, unless I'm doing something different, it might as well as be fixed in
> the devel version I'm running: git-v3.0.1devel-680-g89fbcf7
>
> If I'm not making some obvious mistake by oversimplifying your scenario,
> would it be possible to retest this with master? I'd recommend to try it in
> separate DB repository (H2 is ok) as there is a change in DB schema after
> 3.0.1 as well as in the connector namespaces (so you would need to change
> connector references for DB, CSV, LDAP resources for master).
>
> Thank you.
> Regards,
> Ivan
>
>
> On 12/02/2014 12:36 AM, Jason Everling wrote:
>
> Since I finished up the roles/groups testing I moved onto Orgs, I got my
> orgs mapped and working correctly so it is not a configuration question.
>
>  When a user is manually added in the midpoint GUI and the Org gets
> assigned manually the users shows up in the GUI in the Org Tree,
>
>  If a user is created automatically using a resource such as DBTable or
> CSV and the Org is assigned from a objectTemplate they do not show up in
> the Org tree under the Org but if I open the user, sure enough the Org is
> assigned.
>
>  The only thing I notice differently from a manual creation to a
> automatic creation is that the manual creation adds the below to the user
> object, the users that are automatically created are missing this item, if
> I manually add the item to the user then they show up in the Org Tree,
>
>  The below is what is missing from the auto created/assigned users
> objects,
>
>     <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
> type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>
>
>  JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141202/ea77ad32/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec  2 15:32:59 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 02 Dec 2014 15:32:59 +0100
Subject: [midPoint] Org Tree Bug, Users not listed
In-Reply-To: <CAFkZXY6ALSynGaO=HbTsL_QZRx_Sx5FBxM8dp8raO+krxKSSDg@mail.gmail.com>
References: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
 <547D6A7A.5000006@evolveum.com>
 <CAFkZXY6ALSynGaO=HbTsL_QZRx_Sx5FBxM8dp8raO+krxKSSDg@mail.gmail.com>
Message-ID: <547DCD9B.3020801@evolveum.com>

OK, will do.

Regards,
I.

On 12/02/2014 03:25 PM, Jason Everling wrote:
> Can you try to use my mapping, yours looks to be assigning a specific
> organization,
>
> My mapping in objectTemplate is assigning based on the "organization"
> attribute in the user profile
>
>     <mapping>
>         <authoritative>true</authoritative>
>         <source>
>             <path>organization</path>
>         </source>
>         <expression>
>             <assignmentTargetSearch>
>                 <targetType>c:OrgType</targetType>
>                 <filter>
>                     <q:equal>
>                         <q:path>name</q:path>
>                         <expression>
>                             <path>$organization</path>
>                         </expression>
>                     </q:equal>
>                 </filter>
>             </assignmentTargetSearch>
>         </expression>
>         <target>
>             <path>assignment</path>
>         </target>
>     </mapping>
>
> Thanks!
>
> On Tue, Dec 2, 2014 at 1:30 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason,
>
>     first - thank you for detailed report.
>     I've just tested this, but couldn't reproduce with my midPoint
>     version. This is what I've tried to check with you:
>
>     1. using your Sonis Web resource (CSV), slightly modified: removed
>     schema extension inbounds and object template reference in
>     "unmatched" action - but tried also with it
>     2. create most simple object template with only 1 mapping and set
>     it as global user template:
>        <mapping>
>           <expression>
>              <assignmentTargetSearch>
>                 <targetType
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>c:OrgType</targetType>
>                 <oid>00000000-dc00-dc00-0005-000000000001</oid>
>              </assignmentTargetSearch>
>           </expression>
>           <target>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>assignment</c:path>
>           </target>
>        </mapping>
>
>     (the oid is one my root organizations I have in midPoint)
>     3. tried to do LiveSync for two accounts
>     4. both accounts appear in OrgStruct, and of course have parentOrgRef
>     5. then I've switched off the global user template and referenced
>     it directly in "unmatched" situation
>     6. created another account in CSV, livesynced
>     7. the account also works, appears in OrgStruct
>
>     So, unless I'm doing something different, it might as well as be
>     fixed in the devel version I'm running: git-v3.0.1devel-680-g89fbcf7
>
>     If I'm not making some obvious mistake by oversimplifying your
>     scenario, would it be possible to retest this with master? I'd
>     recommend to try it in separate DB repository (H2 is ok) as there
>     is a change in DB schema after 3.0.1 as well as in the connector
>     namespaces (so you would need to change connector references for
>     DB, CSV, LDAP resources for master).
>
>     Thank you.
>     Regards,
>     Ivan
>
>
>     On 12/02/2014 12:36 AM, Jason Everling wrote:
>>     Since I finished up the roles/groups testing I moved onto Orgs, I
>>     got my orgs mapped and working correctly so it is not a
>>     configuration question.
>>
>>     When a user is manually added in the midpoint GUI and the Org
>>     gets assigned manually the users shows up in the GUI in the Org Tree,
>>
>>     If a user is created automatically using a resource such as
>>     DBTable or CSV and the Org is assigned from a objectTemplate they
>>     do not show up in the Org tree under the Org but if I open the
>>     user, sure enough the Org is assigned.
>>
>>     The only thing I notice differently from a manual creation to a
>>     automatic creation is that the manual creation adds the below to
>>     the user object, the users that are automatically created are
>>     missing this item, if I manually add the item to the user then
>>     they show up in the Org Tree,
>>
>>     The below is what is missing from the auto created/assigned users
>>     objects,
>>
>>        <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
>>     type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>
>>
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141202/0dafaeeb/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec  2 16:05:44 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 02 Dec 2014 16:05:44 +0100
Subject: [midPoint] Org Tree Bug, Users not listed
In-Reply-To: <CAFkZXY6ALSynGaO=HbTsL_QZRx_Sx5FBxM8dp8raO+krxKSSDg@mail.gmail.com>
References: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
 <547D6A7A.5000006@evolveum.com>
 <CAFkZXY6ALSynGaO=HbTsL_QZRx_Sx5FBxM8dp8raO+krxKSSDg@mail.gmail.com>
Message-ID: <547DD548.2050707@evolveum.com>

Hi Jason,

(un)fortunately, it still works even with your mapping.

My scenario:

Object template referenced in unmatched situation:
<objectTemplate
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                oid="10000000-0000-0000-0000-000000000203"
                version="7">
   <name>User Template 3</name>
   <description>
            This object is used when creating a new account from
SonisWeb, only Active Students are pulled from CSV.
    </description>
   <mapping>
      <authoritative>true</authoritative>
      <source>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">organization</c:path>
      </source>
      <expression>
         <assignmentTargetSearch>
            <targetType
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:OrgType</targetType>
            <filter
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
               <q:equal>
                  <q:path>name</q:path>
                  <expression>
                     <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$organization</c:path>
                  </expression>
               </q:equal>
            </filter>
         </assignmentTargetSearch>
      </expression>
      <target>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">assignment</c:path>
      </target>
   </mapping>
</objectTemplate>

CSV has been extended by a new column "organization", added value of a
name for my existing organization (not root).

Livesync for new user works, user is created in midPoint, assigned
organization, visible in org. structure. ParentOrgRef element is present.

So it really seems to be fixed somewhere between 3.0.1 and the current
master.

Regards,
Ivan


On 12/02/2014 03:25 PM, Jason Everling wrote:
> Can you try to use my mapping, yours looks to be assigning a specific
> organization,
>
> My mapping in objectTemplate is assigning based on the "organization"
> attribute in the user profile
>
>     <mapping>
>         <authoritative>true</authoritative>
>         <source>
>             <path>organization</path>
>         </source>
>         <expression>
>             <assignmentTargetSearch>
>                 <targetType>c:OrgType</targetType>
>                 <filter>
>                     <q:equal>
>                         <q:path>name</q:path>
>                         <expression>
>                             <path>$organization</path>
>                         </expression>
>                     </q:equal>
>                 </filter>
>             </assignmentTargetSearch>
>         </expression>
>         <target>
>             <path>assignment</path>
>         </target>
>     </mapping>
>
> Thanks!
>
> On Tue, Dec 2, 2014 at 1:30 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason,
>
>     first - thank you for detailed report.
>     I've just tested this, but couldn't reproduce with my midPoint
>     version. This is what I've tried to check with you:
>
>     1. using your Sonis Web resource (CSV), slightly modified: removed
>     schema extension inbounds and object template reference in
>     "unmatched" action - but tried also with it
>     2. create most simple object template with only 1 mapping and set
>     it as global user template:
>        <mapping>
>           <expression>
>              <assignmentTargetSearch>
>                 <targetType
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>c:OrgType</targetType>
>                 <oid>00000000-dc00-dc00-0005-000000000001</oid>
>              </assignmentTargetSearch>
>           </expression>
>           <target>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>assignment</c:path>
>           </target>
>        </mapping>
>
>     (the oid is one my root organizations I have in midPoint)
>     3. tried to do LiveSync for two accounts
>     4. both accounts appear in OrgStruct, and of course have parentOrgRef
>     5. then I've switched off the global user template and referenced
>     it directly in "unmatched" situation
>     6. created another account in CSV, livesynced
>     7. the account also works, appears in OrgStruct
>
>     So, unless I'm doing something different, it might as well as be
>     fixed in the devel version I'm running: git-v3.0.1devel-680-g89fbcf7
>
>     If I'm not making some obvious mistake by oversimplifying your
>     scenario, would it be possible to retest this with master? I'd
>     recommend to try it in separate DB repository (H2 is ok) as there
>     is a change in DB schema after 3.0.1 as well as in the connector
>     namespaces (so you would need to change connector references for
>     DB, CSV, LDAP resources for master).
>
>     Thank you.
>     Regards,
>     Ivan
>
>
>     On 12/02/2014 12:36 AM, Jason Everling wrote:
>>     Since I finished up the roles/groups testing I moved onto Orgs, I
>>     got my orgs mapped and working correctly so it is not a
>>     configuration question.
>>
>>     When a user is manually added in the midpoint GUI and the Org
>>     gets assigned manually the users shows up in the GUI in the Org Tree,
>>
>>     If a user is created automatically using a resource such as
>>     DBTable or CSV and the Org is assigned from a objectTemplate they
>>     do not show up in the Org tree under the Org but if I open the
>>     user, sure enough the Org is assigned.
>>
>>     The only thing I notice differently from a manual creation to a
>>     automatic creation is that the manual creation adds the below to
>>     the user object, the users that are automatically created are
>>     missing this item, if I manually add the item to the user then
>>     they show up in the Org Tree,
>>
>>     The below is what is missing from the auto created/assigned users
>>     objects,
>>
>>        <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
>>     type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>
>>
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141202/7eab45f9/attachment.htm>

From jeverling at bshp.edu  Tue Dec  2 16:15:31 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Tue, 2 Dec 2014 09:15:31 -0600
Subject: [midPoint] Org Tree Bug, Users not listed
In-Reply-To: <547DD548.2050707@evolveum.com>
References: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
 <547D6A7A.5000006@evolveum.com>
 <CAFkZXY6ALSynGaO=HbTsL_QZRx_Sx5FBxM8dp8raO+krxKSSDg@mail.gmail.com>
 <547DD548.2050707@evolveum.com>
Message-ID: <CAFkZXY59x2B5Goo5f5QuKOkkVw=J=Zw4tfGmLip8b5qTfe7LeQ@mail.gmail.com>

Ah ok, sounds good, Thanks for checking! I will wait until 3.1 comes out to
test any further, or how do I update to the latest 3.0.1 or is that just
devel? I am on the standard 3.0.1 release, I also noticed the iterator was
fixed, awesome!

JASON

On Tue, Dec 2, 2014 at 9:05 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> (un)fortunately, it still works even with your mapping.
>
> My scenario:
>
> Object template referenced in unmatched situation:
> <objectTemplate xmlns=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                 oid="10000000-0000-0000-0000-000000000203"
>                 version="7">
>    <name>User Template 3</name>
>    <description>
>             This object is used when creating a new account from SonisWeb,
> only Active Students are pulled from CSV.
>     </description>
>    <mapping>
>       <authoritative>true</authoritative>
>       <source>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >organization</c:path>
>       </source>
>       <expression>
>          <assignmentTargetSearch>
>             <targetType xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >c:OrgType</targetType>
>             <filter xmlns:q=
> "http://prism.evolveum.com/xml/ns/public/query-3"
> <http://prism.evolveum.com/xml/ns/public/query-3>>
>                <q:equal>
>                   <q:path>name</q:path>
>                   <expression>
>                      <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >$organization</c:path>
>                   </expression>
>                </q:equal>
>             </filter>
>          </assignmentTargetSearch>
>       </expression>
>       <target>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >assignment</c:path>
>       </target>
>    </mapping>
> </objectTemplate>
>
> CSV has been extended by a new column "organization", added value of a
> name for my existing organization (not root).
>
> Livesync for new user works, user is created in midPoint, assigned
> organization, visible in org. structure. ParentOrgRef element is present.
>
> So it really seems to be fixed somewhere between 3.0.1 and the current
> master.
>
> Regards,
> Ivan
>
>
> On 12/02/2014 03:25 PM, Jason Everling wrote:
>
> Can you try to use my mapping, yours looks to be assigning a specific
> organization,
>
>  My mapping in objectTemplate is assigning based on the "organization"
> attribute in the user profile
>
>      <mapping>
>         <authoritative>true</authoritative>
>         <source>
>             <path>organization</path>
>         </source>
>         <expression>
>             <assignmentTargetSearch>
>                 <targetType>c:OrgType</targetType>
>                 <filter>
>                     <q:equal>
>                         <q:path>name</q:path>
>                         <expression>
>                             <path>$organization</path>
>                         </expression>
>                     </q:equal>
>                 </filter>
>             </assignmentTargetSearch>
>         </expression>
>         <target>
>             <path>assignment</path>
>         </target>
>     </mapping>
>
>  Thanks!
>
> On Tue, Dec 2, 2014 at 1:30 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason,
>>
>> first - thank you for detailed report.
>> I've just tested this, but couldn't reproduce with my midPoint version.
>> This is what I've tried to check with you:
>>
>> 1. using your Sonis Web resource (CSV), slightly modified: removed schema
>> extension inbounds and object template reference in "unmatched" action -
>> but tried also with it
>> 2. create most simple object template with only 1 mapping and set it as
>> global user template:
>>    <mapping>
>>       <expression>
>>          <assignmentTargetSearch>
>>             <targetType xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >c:OrgType</targetType>
>>             <oid>00000000-dc00-dc00-0005-000000000001</oid>
>>          </assignmentTargetSearch>
>>       </expression>
>>       <target>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >assignment</c:path>
>>       </target>
>>    </mapping>
>>
>> (the oid is one my root organizations I have in midPoint)
>> 3. tried to do LiveSync for two accounts
>> 4. both accounts appear in OrgStruct, and of course have parentOrgRef
>> 5. then I've switched off the global user template and referenced it
>> directly in "unmatched" situation
>> 6. created another account in CSV, livesynced
>> 7. the account also works, appears in OrgStruct
>>
>> So, unless I'm doing something different, it might as well as be fixed in
>> the devel version I'm running: git-v3.0.1devel-680-g89fbcf7
>>
>> If I'm not making some obvious mistake by oversimplifying your scenario,
>> would it be possible to retest this with master? I'd recommend to try it in
>> separate DB repository (H2 is ok) as there is a change in DB schema after
>> 3.0.1 as well as in the connector namespaces (so you would need to change
>> connector references for DB, CSV, LDAP resources for master).
>>
>> Thank you.
>> Regards,
>> Ivan
>>
>>
>> On 12/02/2014 12:36 AM, Jason Everling wrote:
>>
>>  Since I finished up the roles/groups testing I moved onto Orgs, I got
>> my orgs mapped and working correctly so it is not a configuration question.
>>
>>  When a user is manually added in the midpoint GUI and the Org gets
>> assigned manually the users shows up in the GUI in the Org Tree,
>>
>>  If a user is created automatically using a resource such as DBTable or
>> CSV and the Org is assigned from a objectTemplate they do not show up in
>> the Org tree under the Org but if I open the user, sure enough the Org is
>> assigned.
>>
>>  The only thing I notice differently from a manual creation to a
>> automatic creation is that the manual creation adds the below to the user
>> object, the users that are automatically created are missing this item, if
>> I manually add the item to the user then they show up in the Org Tree,
>>
>>  The below is what is missing from the auto created/assigned users
>> objects,
>>
>>     <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
>> type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL --></parentOrgRef>
>>
>>  JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141202/e4de2992/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec  2 16:28:50 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 02 Dec 2014 16:28:50 +0100
Subject: [midPoint] Org Tree Bug, Users not listed
In-Reply-To: <CAFkZXY59x2B5Goo5f5QuKOkkVw=J=Zw4tfGmLip8b5qTfe7LeQ@mail.gmail.com>
References: <CAFkZXY4g7Ur49GsUQEd_GYiUSE3=QC24va6OPFriXu+taW2SLg@mail.gmail.com>
 <547D6A7A.5000006@evolveum.com>
 <CAFkZXY6ALSynGaO=HbTsL_QZRx_Sx5FBxM8dp8raO+krxKSSDg@mail.gmail.com>
 <547DD548.2050707@evolveum.com>
 <CAFkZXY59x2B5Goo5f5QuKOkkVw=J=Zw4tfGmLip8b5qTfe7LeQ@mail.gmail.com>
Message-ID: <547DDAB2.307@evolveum.com>

Jason,

of course you can wait for 3.1 when it comes out. Or you can try to test
the 3.1 snapshot.

The version I'm using is the latest master - compiled from sources.

You can download latest master - binary version here:
https://www.evolveum.com/download/

Direct link for latest tar.bz2 archive:
http://athena.evolveum.com/builds/master/latest/midpoint-3.1-SNAPSHOT-dist.tar.bz2

After unpacking, in config/sql/_all you can use the SQL script to create
the db repository. I *recommend* to use either new DB or use local
automatically-created H2 embedded database.

You can import most of your objects, but references to embedded
connectors have been updated (LDAP, CSV, DBTable), so your existing
resources need to be updated too. This is namely connectorType and
connector namespace in the resources.

The midPoint iterator is still work in progress (the resource iterator
has been fixed, I've retested it today).

Thank you for your feedbacks,
regards,
Ivan

On 12/02/2014 04:15 PM, Jason Everling wrote:
> Ah ok, sounds good, Thanks for checking! I will wait until 3.1 comes
> out to test any further, or how do I update to the latest 3.0.1 or is
> that just devel? I am on the standard 3.0.1 release, I also noticed
> the iterator was fixed, awesome!
>
> JASON
>
> On Tue, Dec 2, 2014 at 9:05 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     (un)fortunately, it still works even with your mapping.
>
>     My scenario:
>
>     Object template referenced in unmatched situation:
>     <objectTemplate
>     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                     oid="10000000-0000-0000-0000-000000000203"
>                     version="7">
>        <name>User Template 3</name>
>        <description>
>                 This object is used when creating a new account from
>     SonisWeb, only Active Students are pulled from CSV.
>         </description>
>        <mapping>
>           <authoritative>true</authoritative>
>           <source>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>organization</c:path>
>           </source>
>           <expression>
>              <assignmentTargetSearch>
>                 <targetType
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>c:OrgType</targetType>
>                 <filter
>     xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>     <http://prism.evolveum.com/xml/ns/public/query-3>>
>                    <q:equal>
>                       <q:path>name</q:path>
>                       <expression>
>                          <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$organization</c:path>
>                       </expression>
>                    </q:equal>
>                 </filter>
>              </assignmentTargetSearch>
>           </expression>
>           <target>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>assignment</c:path>
>           </target>
>        </mapping>
>     </objectTemplate>
>
>     CSV has been extended by a new column "organization", added value
>     of a name for my existing organization (not root).
>
>     Livesync for new user works, user is created in midPoint, assigned
>     organization, visible in org. structure. ParentOrgRef element is
>     present.
>
>     So it really seems to be fixed somewhere between 3.0.1 and the
>     current master.
>
>     Regards,
>     Ivan
>
>
>     On 12/02/2014 03:25 PM, Jason Everling wrote:
>>     Can you try to use my mapping, yours looks to be assigning a
>>     specific organization,
>>
>>     My mapping in objectTemplate is assigning based on the
>>     "organization" attribute in the user profile
>>
>>         <mapping>
>>             <authoritative>true</authoritative>
>>             <source>
>>                 <path>organization</path>
>>             </source>
>>             <expression>
>>                 <assignmentTargetSearch>
>>                     <targetType>c:OrgType</targetType>
>>                     <filter>
>>                         <q:equal>
>>                             <q:path>name</q:path>
>>                             <expression>
>>                                 <path>$organization</path>
>>                             </expression>
>>                         </q:equal>
>>                     </filter>
>>                 </assignmentTargetSearch>
>>             </expression>
>>             <target>
>>                 <path>assignment</path>
>>             </target>
>>         </mapping>
>>
>>     Thanks!
>>
>>     On Tue, Dec 2, 2014 at 1:30 AM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Jason,
>>
>>         first - thank you for detailed report.
>>         I've just tested this, but couldn't reproduce with my
>>         midPoint version. This is what I've tried to check with you:
>>
>>         1. using your Sonis Web resource (CSV), slightly modified:
>>         removed schema extension inbounds and object template
>>         reference in "unmatched" action - but tried also with it
>>         2. create most simple object template with only 1 mapping and
>>         set it as global user template:
>>            <mapping>
>>               <expression>
>>                  <assignmentTargetSearch>
>>                     <targetType
>>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>c:OrgType</targetType>
>>                     <oid>00000000-dc00-dc00-0005-000000000001</oid>
>>                  </assignmentTargetSearch>
>>               </expression>
>>               <target>
>>                  <c:path
>>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>assignment</c:path>
>>               </target>
>>            </mapping>
>>
>>         (the oid is one my root organizations I have in midPoint)
>>         3. tried to do LiveSync for two accounts
>>         4. both accounts appear in OrgStruct, and of course have
>>         parentOrgRef
>>         5. then I've switched off the global user template and
>>         referenced it directly in "unmatched" situation
>>         6. created another account in CSV, livesynced
>>         7. the account also works, appears in OrgStruct
>>
>>         So, unless I'm doing something different, it might as well as
>>         be fixed in the devel version I'm running:
>>         git-v3.0.1devel-680-g89fbcf7
>>
>>         If I'm not making some obvious mistake by oversimplifying
>>         your scenario, would it be possible to retest this with
>>         master? I'd recommend to try it in separate DB repository (H2
>>         is ok) as there is a change in DB schema after 3.0.1 as well
>>         as in the connector namespaces (so you would need to change
>>         connector references for DB, CSV, LDAP resources for master).
>>
>>         Thank you.
>>         Regards,
>>         Ivan
>>
>>
>>         On 12/02/2014 12:36 AM, Jason Everling wrote:
>>>         Since I finished up the roles/groups testing I moved onto
>>>         Orgs, I got my orgs mapped and working correctly so it is
>>>         not a configuration question.
>>>
>>>         When a user is manually added in the midpoint GUI and the
>>>         Org gets assigned manually the users shows up in the GUI in
>>>         the Org Tree,
>>>
>>>         If a user is created automatically using a resource such as
>>>         DBTable or CSV and the Org is assigned from a objectTemplate
>>>         they do not show up in the Org tree under the Org but if I
>>>         open the user, sure enough the Org is assigned.
>>>
>>>         The only thing I notice differently from a manual creation
>>>         to a automatic creation is that the manual creation adds the
>>>         below to the user object, the users that are automatically
>>>         created are missing this item, if I manually add the item to
>>>         the user then they show up in the Org Tree,
>>>
>>>         The below is what is missing from the auto created/assigned
>>>         users objects,
>>>
>>>            <parentOrgRef oid="9c3facf5-fd01-46f5-9c28-8488403826be"
>>>         type="OrgType"><!-- OU=SHP Staff,DC=TEST,DC=LOCAL
>>>         --></parentOrgRef>
>>>
>>>         JASON
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141202/4c1a9e1b/attachment.htm>

From dharm.parakh at gmail.com  Wed Dec  3 14:30:22 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Wed, 3 Dec 2014 19:00:22 +0530
Subject: [midPoint] LDAP Group Creation
Message-ID: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>

Hi

I was playing around the ldap connector bundled witth midpoint, It works
well for creating user accounts and user group assignment.

I want to create ldap group, Is it possible using the same connector to
provision ldap group on target ldap resource. basically a
groupOfUniqueNames or a posixGroup.

If possible please point me to the documentation which i can refer and
configure it.


Thanks
Dharmendra Parakh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/0edd3b90/attachment.htm>

From jeverling at bshp.edu  Wed Dec  3 17:24:25 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 10:24:25 -0600
Subject: [midPoint] ScriptedSQL Connector
Message-ID: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>

I was playing around with the ScriptedSQL to see how much I could do with
it for other applications but I cannot import the resource,

I checked on Github and Wiki for a Connector definition but could not find
one, I tried to import maybe thinking it was embedded like the DBTable but
it is not,

Can you provide a Connector object for ScriptedSQL?

Thanks,
JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/10e862b7/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec  3 18:40:58 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 03 Dec 2014 18:40:58 +0100
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
Message-ID: <547F4B2A.4030007@evolveum.com>

Jason :-)

Maybe I was reading your mind, because just today I've commited samples
for ScriptedSQL Connector.

Provisioning works (samples are for postgresql), we're just fixing sync.

I.

On 12/03/2014 05:24 PM, Jason Everling wrote:
> I was playing around with the ScriptedSQL to see how much I could do
> with it for other applications but I cannot import the resource,
>
> I checked on Github and Wiki for a Connector definition but could not
> find one, I tried to import maybe thinking it was embedded like the
> DBTable but it is not,
>
> Can you provide a Connector object for ScriptedSQL?
>
> Thanks,
> JASON
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/1609887c/attachment.htm>

From jeverling at bshp.edu  Wed Dec  3 18:49:12 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 11:49:12 -0600
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <547F4B2A.4030007@evolveum.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
 <547F4B2A.4030007@evolveum.com>
Message-ID: <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>

Awesome, I just looked at the them, the nosync is what I would use, I just
want to test out pushing some information/attributes to other systems that
do not fall under any of the other resource categories but have a
mssql/mysql database.

Looking at the same nosync though, if I try to import that one also,
midpoint errors stating it cannot find the connector referenced in the file
so I am assuming the connector needs to be added? This connector "<q:value
>org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector</q:value>"
 is not loaded in my midpoint, only DBTable and CSV along with the one I
created for AD.

JASON

On Wed, Dec 3, 2014 at 11:40 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason :-)
>
> Maybe I was reading your mind, because just today I've commited samples
> for ScriptedSQL Connector.
>
> Provisioning works (samples are for postgresql), we're just fixing sync.
>
> I.
>
>
> On 12/03/2014 05:24 PM, Jason Everling wrote:
>
> I was playing around with the ScriptedSQL to see how much I could do with
> it for other applications but I cannot import the resource,
>
>  I checked on Github and Wiki for a Connector definition but could not
> find one, I tried to import maybe thinking it was embedded like the DBTable
> but it is not,
>
>  Can you provide a Connector object for ScriptedSQL?
>
>  Thanks,
> JASON
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/7d0b09f4/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec  3 18:53:19 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 03 Dec 2014 18:53:19 +0100
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
 <547F4B2A.4030007@evolveum.com>
 <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>
Message-ID: <547F4E0F.8080006@evolveum.com>

Try JAR from here:

http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/connectors/scriptedsql-connector/1.1.2.0.em3/

I.

On 12/03/2014 06:49 PM, Jason Everling wrote:
> Awesome, I just looked at the them, the nosync is what I would use, I
> just want to test out pushing some information/attributes to other
> systems that do not fall under any of the other resource categories
> but have a mssql/mysql database.
>
> Looking at the same nosync though, if I try to import that one also,
> midpoint errors stating it cannot find the connector referenced in the
> file so I am assuming the connector needs to be added? This connector
> "<q:value>org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector</q:value>"
>  is not loaded in my midpoint, only DBTable and CSV along with the one
> I created for AD.
>
> JASON
>
> On Wed, Dec 3, 2014 at 11:40 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason :-)
>
>     Maybe I was reading your mind, because just today I've commited
>     samples for ScriptedSQL Connector.
>
>     Provisioning works (samples are for postgresql), we're just fixing
>     sync.
>
>     I.
>
>
>     On 12/03/2014 05:24 PM, Jason Everling wrote:
>>     I was playing around with the ScriptedSQL to see how much I could
>>     do with it for other applications but I cannot import the resource,
>>
>>     I checked on Github and Wiki for a Connector definition but could
>>     not find one, I tried to import maybe thinking it was embedded
>>     like the DBTable but it is not,
>>
>>     Can you provide a Connector object for ScriptedSQL?
>>
>>     Thanks,
>>     JASON
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/ad9e93f6/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec  3 19:00:19 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 03 Dec 2014 19:00:19 +0100
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <547F4E0F.8080006@evolveum.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
 <547F4B2A.4030007@evolveum.com>
 <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>
 <547F4E0F.8080006@evolveum.com>
Message-ID: <547F4FB3.2080501@evolveum.com>

... you need to put this connector to your midpoint.home/icf-connectors
directory as stated in the config.xml

. . .
    <icf>
      <scanClasspath>true</scanClasspath>
      <scanDirectory>${midpoint.home}/icf-connectors</scanDirectory>
    </icf>
. . .

Restarting midpoint is also needed.

I.
On 12/03/2014 06:53 PM, Ivan Noris wrote:
> Try JAR from here:
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/connectors/scriptedsql-connector/1.1.2.0.em3/
>
> I.
>
> On 12/03/2014 06:49 PM, Jason Everling wrote:
>> Awesome, I just looked at the them, the nosync is what I would use, I
>> just want to test out pushing some information/attributes to other
>> systems that do not fall under any of the other resource categories
>> but have a mssql/mysql database.
>>
>> Looking at the same nosync though, if I try to import that one also,
>> midpoint errors stating it cannot find the connector referenced in
>> the file so I am assuming the connector needs to be added? This
>> connector
>> "<q:value>org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector</q:value>"
>>  is not loaded in my midpoint, only DBTable and CSV along with the
>> one I created for AD.
>>
>> JASON
>>
>> On Wed, Dec 3, 2014 at 11:40 AM, Ivan Noris <ivan.noris at evolveum.com
>> <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>     Jason :-)
>>
>>     Maybe I was reading your mind, because just today I've commited
>>     samples for ScriptedSQL Connector.
>>
>>     Provisioning works (samples are for postgresql), we're just
>>     fixing sync.
>>
>>     I.
>>
>>
>>     On 12/03/2014 05:24 PM, Jason Everling wrote:
>>>     I was playing around with the ScriptedSQL to see how much I
>>>     could do with it for other applications but I cannot import the
>>>     resource,
>>>
>>>     I checked on Github and Wiki for a Connector definition but
>>>     could not find one, I tried to import maybe thinking it was
>>>     embedded like the DBTable but it is not,
>>>
>>>     Can you provide a Connector object for ScriptedSQL?
>>>
>>>     Thanks,
>>>     JASON
>>>
>>>
>>>
>>>
>>>
>>>     CONFIDENTIALITY NOTICE:
>>>     This e-mail together with any attachments is proprietary and
>>>     confidential; intended for only the recipient(s) named above and
>>>     may contain information that is privileged. You should not
>>>     retain, copy or use this e-mail or any attachments for any
>>>     purpose, or disclose all or any part of the contents to any
>>>     person. Any views or opinions expressed in this e-mail are those
>>>     of the author and do not represent those of the Baptist School
>>>     of Health Professions. If you have received this e-mail in
>>>     error, or are not the named recipient(s), you are hereby
>>>     notified that any review, dissemination, distribution or copying
>>>     of this communication is prohibited by the sender and to do so
>>>     might constitute a violation of the Electronic Communications
>>>     Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>     notify the sender and delete this e-mail and any attachments
>>>     from your computer.
>>>
>>>
>>>     _______________________________________________
>>>     midPoint mailing list
>>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>     -- 
>>       Ing. Ivan Noris
>>       Senior Identity Management Engineer
>>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>       _____________________________________________
>>       "Semper Id(e)M Vix."
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy
>> or use this e-mail or any attachments for any purpose, or disclose
>> all or any part of the contents to any person. Any views or opinions
>> expressed in this e-mail are those of the author and do not represent
>> those of the Baptist School of Health Professions. If you have
>> received this e-mail in error, or are not the named recipient(s), you
>> are hereby notified that any review, dissemination, distribution or
>> copying of this communication is prohibited by the sender and to do
>> so might constitute a violation of the Electronic Communications
>> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify
>> the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/6d65689e/attachment.htm>

From jeverling at bshp.edu  Wed Dec  3 19:00:25 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 12:00:25 -0600
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <547F4E0F.8080006@evolveum.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
 <547F4B2A.4030007@evolveum.com>
 <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>
 <547F4E0F.8080006@evolveum.com>
Message-ID: <CAFkZXY6AfCYz8nSa_AjHLdViV=DizoAxXj4UiH8TYHOPqM1Mqw@mail.gmail.com>

Thanks, that worked!

JASON

On Wed, Dec 3, 2014 at 11:53 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Try JAR from here:
>
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/connectors/scriptedsql-connector/1.1.2.0.em3/
>
> I.
>
>
> On 12/03/2014 06:49 PM, Jason Everling wrote:
>
> Awesome, I just looked at the them, the nosync is what I would use, I just
> want to test out pushing some information/attributes to other systems that
> do not fall under any of the other resource categories but have a
> mssql/mysql database.
>
>  Looking at the same nosync though, if I try to import that one also,
> midpoint errors stating it cannot find the connector referenced in the file
> so I am assuming the connector needs to be added? This connector "<q:value
> >org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector</q:
> value>"  is not loaded in my midpoint, only DBTable and CSV along with
> the one I created for AD.
>
>  JASON
>
> On Wed, Dec 3, 2014 at 11:40 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason :-)
>>
>> Maybe I was reading your mind, because just today I've commited samples
>> for ScriptedSQL Connector.
>>
>> Provisioning works (samples are for postgresql), we're just fixing sync.
>>
>> I.
>>
>>
>> On 12/03/2014 05:24 PM, Jason Everling wrote:
>>
>>  I was playing around with the ScriptedSQL to see how much I could do
>> with it for other applications but I cannot import the resource,
>>
>>  I checked on Github and Wiki for a Connector definition but could not
>> find one, I tried to import maybe thinking it was embedded like the DBTable
>> but it is not,
>>
>>  Can you provide a Connector object for ScriptedSQL?
>>
>>  Thanks,
>> JASON
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/894e2799/attachment.htm>

From jeverling at bshp.edu  Wed Dec  3 19:01:00 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 12:01:00 -0600
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <547F4FB3.2080501@evolveum.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
 <547F4B2A.4030007@evolveum.com>
 <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>
 <547F4E0F.8080006@evolveum.com> <547F4FB3.2080501@evolveum.com>
Message-ID: <CAFkZXY5RfKPnR=qWgZjz_evFrH-n80gbzMWtf=_GYzOVeFSgbw@mail.gmail.com>

ohh ok, I put in the lib under WEB-INF

JASON

On Wed, Dec 3, 2014 at 12:00 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  ... you need to put this connector to your midpoint.home/icf-connectors
> directory as stated in the config.xml
>
> . . .
>     <icf>
>       <scanClasspath>true</scanClasspath>
>       <scanDirectory>${midpoint.home}/icf-connectors</scanDirectory>
>     </icf>
> . . .
>
> Restarting midpoint is also needed.
>
> I.
>
> On 12/03/2014 06:53 PM, Ivan Noris wrote:
>
> Try JAR from here:
>
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/connectors/scriptedsql-connector/1.1.2.0.em3/
>
> I.
>
> On 12/03/2014 06:49 PM, Jason Everling wrote:
>
> Awesome, I just looked at the them, the nosync is what I would use, I just
> want to test out pushing some information/attributes to other systems that
> do not fall under any of the other resource categories but have a
> mssql/mysql database.
>
>  Looking at the same nosync though, if I try to import that one also,
> midpoint errors stating it cannot find the connector referenced in the file
> so I am assuming the connector needs to be added? This connector "<q:value
> >org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector</q:
> value>"  is not loaded in my midpoint, only DBTable and CSV along with
> the one I created for AD.
>
>  JASON
>
> On Wed, Dec 3, 2014 at 11:40 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason :-)
>>
>> Maybe I was reading your mind, because just today I've commited samples
>> for ScriptedSQL Connector.
>>
>> Provisioning works (samples are for postgresql), we're just fixing sync.
>>
>> I.
>>
>>
>> On 12/03/2014 05:24 PM, Jason Everling wrote:
>>
>>  I was playing around with the ScriptedSQL to see how much I could do
>> with it for other applications but I cannot import the resource,
>>
>>  I checked on Github and Wiki for a Connector definition but could not
>> find one, I tried to import maybe thinking it was embedded like the DBTable
>> but it is not,
>>
>>  Can you provide a Connector object for ScriptedSQL?
>>
>>  Thanks,
>> JASON
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/a15e6833/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec  3 19:02:31 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 03 Dec 2014 19:02:31 +0100
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <CAFkZXY5RfKPnR=qWgZjz_evFrH-n80gbzMWtf=_GYzOVeFSgbw@mail.gmail.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
 <547F4B2A.4030007@evolveum.com>
 <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>
 <547F4E0F.8080006@evolveum.com> <547F4FB3.2080501@evolveum.com>
 <CAFkZXY5RfKPnR=qWgZjz_evFrH-n80gbzMWtf=_GYzOVeFSgbw@mail.gmail.com>
Message-ID: <547F5037.7080902@evolveum.com>

Although this works, redeploying will delete your connector.

So that's why midpoint.home/icf-connectors is used. It's persistent.

I.

On 12/03/2014 07:01 PM, Jason Everling wrote:
> ohh ok, I put in the lib under WEB-INF
>
> JASON
>
> On Wed, Dec 3, 2014 at 12:00 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     ... you need to put this connector to your
>     midpoint.home/icf-connectors directory as stated in the config.xml
>
>     . . .
>         <icf>
>           <scanClasspath>true</scanClasspath>
>           <scanDirectory>${midpoint.home}/icf-connectors</scanDirectory>
>         </icf>
>     . . .
>
>     Restarting midpoint is also needed.
>
>     I.
>
>     On 12/03/2014 06:53 PM, Ivan Noris wrote:
>>     Try JAR from here:
>>
>>     http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/connectors/scriptedsql-connector/1.1.2.0.em3/
>>
>>     I.
>>
>>     On 12/03/2014 06:49 PM, Jason Everling wrote:
>>>     Awesome, I just looked at the them, the nosync is what I would
>>>     use, I just want to test out pushing some information/attributes
>>>     to other systems that do not fall under any of the other
>>>     resource categories but have a mssql/mysql database.
>>>
>>>     Looking at the same nosync though, if I try to import that one
>>>     also, midpoint errors stating it cannot find the connector
>>>     referenced in the file so I am assuming the connector needs to
>>>     be added? This connector
>>>     "<q:value>org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector</q:value>"
>>>      is not loaded in my midpoint, only DBTable and CSV along with
>>>     the one I created for AD.
>>>
>>>     JASON
>>>
>>>     On Wed, Dec 3, 2014 at 11:40 AM, Ivan Noris
>>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>         Jason :-)
>>>
>>>         Maybe I was reading your mind, because just today I've
>>>         commited samples for ScriptedSQL Connector.
>>>
>>>         Provisioning works (samples are for postgresql), we're just
>>>         fixing sync.
>>>
>>>         I.
>>>
>>>
>>>         On 12/03/2014 05:24 PM, Jason Everling wrote:
>>>>         I was playing around with the ScriptedSQL to see how much I
>>>>         could do with it for other applications but I cannot import
>>>>         the resource,
>>>>
>>>>         I checked on Github and Wiki for a Connector definition but
>>>>         could not find one, I tried to import maybe thinking it was
>>>>         embedded like the DBTable but it is not,
>>>>
>>>>         Can you provide a Connector object for ScriptedSQL?
>>>>
>>>>         Thanks,
>>>>         JASON
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>         CONFIDENTIALITY NOTICE:
>>>>         This e-mail together with any attachments is proprietary
>>>>         and confidential; intended for only the recipient(s) named
>>>>         above and may contain information that is privileged. You
>>>>         should not retain, copy or use this e-mail or any
>>>>         attachments for any purpose, or disclose all or any part of
>>>>         the contents to any person. Any views or opinions expressed
>>>>         in this e-mail are those of the author and do not represent
>>>>         those of the Baptist School of Health Professions. If you
>>>>         have received this e-mail in error, or are not the named
>>>>         recipient(s), you are hereby notified that any review,
>>>>         dissemination, distribution or copying of this
>>>>         communication is prohibited by the sender and to do so
>>>>         might constitute a violation of the Electronic
>>>>         Communications Privacy Act, 18 U.S.C. section 2510-2521.
>>>>         Please immediately notify the sender and delete this e-mail
>>>>         and any attachments from your computer.
>>>>
>>>>
>>>>         _______________________________________________
>>>>         midPoint mailing list
>>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>         -- 
>>>           Ing. Ivan Noris
>>>           Senior Identity Management Engineer
>>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>           _____________________________________________
>>>           "Semper Id(e)M Vix."
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>     CONFIDENTIALITY NOTICE:
>>>     This e-mail together with any attachments is proprietary and
>>>     confidential; intended for only the recipient(s) named above and
>>>     may contain information that is privileged. You should not
>>>     retain, copy or use this e-mail or any attachments for any
>>>     purpose, or disclose all or any part of the contents to any
>>>     person. Any views or opinions expressed in this e-mail are those
>>>     of the author and do not represent those of the Baptist School
>>>     of Health Professions. If you have received this e-mail in
>>>     error, or are not the named recipient(s), you are hereby
>>>     notified that any review, dissemination, distribution or copying
>>>     of this communication is prohibited by the sender and to do so
>>>     might constitute a violation of the Electronic Communications
>>>     Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>     notify the sender and delete this e-mail and any attachments
>>>     from your computer.
>>>
>>>
>>>     _______________________________________________
>>>     midPoint mailing list
>>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>     -- 
>>       Ing. Ivan Noris
>>       Senior Identity Management Engineer
>>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>       _____________________________________________
>>       "Semper Id(e)M Vix."
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/6cdbb7c8/attachment.htm>

From jeverling at bshp.edu  Wed Dec  3 19:04:27 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 12:04:27 -0600
Subject: [midPoint] ScriptedSQL Connector
In-Reply-To: <547F5037.7080902@evolveum.com>
References: <CAFkZXY50jYPH2-ygR6kjRLEB+j6wW1tAfcgG4oeNTRxLO5Sj2w@mail.gmail.com>
 <547F4B2A.4030007@evolveum.com>
 <CAFkZXY736Oo1KNB2MesJuayjKdc-x6SBxSUfk0FD8Ly9FYShmA@mail.gmail.com>
 <547F4E0F.8080006@evolveum.com> <547F4FB3.2080501@evolveum.com>
 <CAFkZXY5RfKPnR=qWgZjz_evFrH-n80gbzMWtf=_GYzOVeFSgbw@mail.gmail.com>
 <547F5037.7080902@evolveum.com>
Message-ID: <CAFkZXY4cAbLt2xnDK1hLUAZTcsHdD5DPaHxfCutKexKNqAXNdQ@mail.gmail.com>

Thanks for the tip, I changed it after I saw your last email,

JASON

On Wed, Dec 3, 2014 at 12:02 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Although this works, redeploying will delete your connector.
>
> So that's why midpoint.home/icf-connectors is used. It's persistent.
>
> I.
>
>
> On 12/03/2014 07:01 PM, Jason Everling wrote:
>
> ohh ok, I put in the lib under WEB-INF
>
>  JASON
>
> On Wed, Dec 3, 2014 at 12:00 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  ... you need to put this connector to your midpoint.home/icf-connectors
>> directory as stated in the config.xml
>>
>> . . .
>>     <icf>
>>       <scanClasspath>true</scanClasspath>
>>       <scanDirectory>${midpoint.home}/icf-connectors</scanDirectory>
>>     </icf>
>> . . .
>>
>> Restarting midpoint is also needed.
>>
>> I.
>>
>> On 12/03/2014 06:53 PM, Ivan Noris wrote:
>>
>> Try JAR from here:
>>
>>
>> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/connectors/scriptedsql-connector/1.1.2.0.em3/
>>
>> I.
>>
>> On 12/03/2014 06:49 PM, Jason Everling wrote:
>>
>> Awesome, I just looked at the them, the nosync is what I would use, I
>> just want to test out pushing some information/attributes to other systems
>> that do not fall under any of the other resource categories but have a
>> mssql/mysql database.
>>
>>  Looking at the same nosync though, if I try to import that one also,
>> midpoint errors stating it cannot find the connector referenced in the file
>> so I am assuming the connector needs to be added? This connector "<q:
>> value>org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector</
>> q:value>"  is not loaded in my midpoint, only DBTable and CSV along with
>> the one I created for AD.
>>
>>  JASON
>>
>> On Wed, Dec 3, 2014 at 11:40 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Jason :-)
>>>
>>> Maybe I was reading your mind, because just today I've commited samples
>>> for ScriptedSQL Connector.
>>>
>>> Provisioning works (samples are for postgresql), we're just fixing sync.
>>>
>>> I.
>>>
>>>
>>> On 12/03/2014 05:24 PM, Jason Everling wrote:
>>>
>>>  I was playing around with the ScriptedSQL to see how much I could do
>>> with it for other applications but I cannot import the resource,
>>>
>>>  I checked on Github and Wiki for a Connector definition but could not
>>> find one, I tried to import maybe thinking it was embedded like the DBTable
>>> but it is not,
>>>
>>>  Can you provide a Connector object for ScriptedSQL?
>>>
>>>  Thanks,
>>> JASON
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/de513c79/attachment.htm>

From jeverling at bshp.edu  Wed Dec  3 22:14:41 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 15:14:41 -0600
Subject: [midPoint] DBTable - Users in Midpoint already exist in database
Message-ID: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>

I wouldn't to double-check this,

I setup database table resource but the database already contains all our
students/faculty/staff so I DO NOT want midpoint creating accounts on the
resource, all push/update information for existing users.

I tested it and it seems ok, If I update a user in midpoint it will
automatically add the resource and link the accounts. Basically all I am
wanting to sync or update to this resource is firstname/lastname and
password along with some other attributes that I have not yet defined.
Works so far but I wanted to make sure that midpoint would not delete or
create on this resource, only update if found.

I attached the resource, please when you have time take a look at it.

JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/a5bd4546/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbtable2_dev.xml
Type: text/xml
Size: 8555 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/a5bd4546/attachment.xml>

From jeverling at bshp.edu  Wed Dec  3 22:15:27 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 15:15:27 -0600
Subject: [midPoint] DBTable - Users in Midpoint already exist in database
In-Reply-To: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>
References: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>
Message-ID: <CAFkZXY4nar+d_EpzNARb8d+YfHJ6Z=Uu-VVzDu8cszTp+33A+w@mail.gmail.com>

*wanted to double-check, not wouldn't, was a typo

On Wed, Dec 3, 2014 at 3:14 PM, Jason Everling <jeverling at bshp.edu> wrote:

> I wouldn't to double-check this,
>
> I setup database table resource but the database already contains all our
> students/faculty/staff so I DO NOT want midpoint creating accounts on the
> resource, all push/update information for existing users.
>
> I tested it and it seems ok, If I update a user in midpoint it will
> automatically add the resource and link the accounts. Basically all I am
> wanting to sync or update to this resource is firstname/lastname and
> password along with some other attributes that I have not yet defined.
> Works so far but I wanted to make sure that midpoint would not delete or
> create on this resource, only update if found.
>
> I attached the resource, please when you have time take a look at it.
>
> JASON
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/ec903295/attachment.htm>

From jeverling at bshp.edu  Thu Dec  4 00:33:18 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 17:33:18 -0600
Subject: [midPoint] DBTable - Users in Midpoint already exist in database
In-Reply-To: <CAFkZXY4nar+d_EpzNARb8d+YfHJ6Z=Uu-VVzDu8cszTp+33A+w@mail.gmail.com>
References: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>
 <CAFkZXY4nar+d_EpzNARb8d+YfHJ6Z=Uu-VVzDu8cszTp+33A+w@mail.gmail.com>
Message-ID: <CAFkZXY4KTVa1OLYgQD8yDBB-y+LZvwOXHzn9R=_m3M8PRf6rnQ@mail.gmail.com>

Another question, since the accounts already exists in the application
database, midpoint will link the accounts only after the resource account
is modified. Is there a way to force link existing accounts without having
to wait and modify the resource account

For example:

John Doe is already in DBTable Resource
John Doe is already in Midpoint

Correlation will match employeeNumber.

So far, the only way to get midpoint to link the 2 accounts is to modify
the account on the resource, in the database table, I modify some attribute
then after I save the link is created in Midpoint.

On Wed, Dec 3, 2014 at 3:15 PM, Jason Everling <jeverling at bshp.edu> wrote:

> *wanted to double-check, not wouldn't, was a typo
>
> On Wed, Dec 3, 2014 at 3:14 PM, Jason Everling <jeverling at bshp.edu> wrote:
>
>> I wouldn't to double-check this,
>>
>> I setup database table resource but the database already contains all our
>> students/faculty/staff so I DO NOT want midpoint creating accounts on the
>> resource, all push/update information for existing users.
>>
>> I tested it and it seems ok, If I update a user in midpoint it will
>> automatically add the resource and link the accounts. Basically all I am
>> wanting to sync or update to this resource is firstname/lastname and
>> password along with some other attributes that I have not yet defined.
>> Works so far but I wanted to make sure that midpoint would not delete or
>> create on this resource, only update if found.
>>
>> I attached the resource, please when you have time take a look at it.
>>
>> JASON
>>
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/9c865929/attachment.htm>

From jeverling at bshp.edu  Thu Dec  4 01:46:22 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 3 Dec 2014 18:46:22 -0600
Subject: [midPoint] DBTable - Users in Midpoint already exist in database
In-Reply-To: <CAFkZXY4KTVa1OLYgQD8yDBB-y+LZvwOXHzn9R=_m3M8PRf6rnQ@mail.gmail.com>
References: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>
 <CAFkZXY4nar+d_EpzNARb8d+YfHJ6Z=Uu-VVzDu8cszTp+33A+w@mail.gmail.com>
 <CAFkZXY4KTVa1OLYgQD8yDBB-y+LZvwOXHzn9R=_m3M8PRf6rnQ@mail.gmail.com>
Message-ID: <CAFkZXY7u83TjJv38UHh5RJ2Rq4yVv2tsy=5nGJCNWQhKKjs2pA@mail.gmail.com>

Nevermind! I got it going by using a reconciliation task which linked all
existing accounts!

JASON

On Wed, Dec 3, 2014 at 5:33 PM, Jason Everling <jeverling at bshp.edu> wrote:

> Another question, since the accounts already exists in the application
> database, midpoint will link the accounts only after the resource account
> is modified. Is there a way to force link existing accounts without having
> to wait and modify the resource account
>
> For example:
>
> John Doe is already in DBTable Resource
> John Doe is already in Midpoint
>
> Correlation will match employeeNumber.
>
> So far, the only way to get midpoint to link the 2 accounts is to modify
> the account on the resource, in the database table, I modify some attribute
> then after I save the link is created in Midpoint.
>
> On Wed, Dec 3, 2014 at 3:15 PM, Jason Everling <jeverling at bshp.edu> wrote:
>
>> *wanted to double-check, not wouldn't, was a typo
>>
>> On Wed, Dec 3, 2014 at 3:14 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> I wouldn't to double-check this,
>>>
>>> I setup database table resource but the database already contains all
>>> our students/faculty/staff so I DO NOT want midpoint creating accounts on
>>> the resource, all push/update information for existing users.
>>>
>>> I tested it and it seems ok, If I update a user in midpoint it will
>>> automatically add the resource and link the accounts. Basically all I am
>>> wanting to sync or update to this resource is firstname/lastname and
>>> password along with some other attributes that I have not yet defined.
>>> Works so far but I wanted to make sure that midpoint would not delete or
>>> create on this resource, only update if found.
>>>
>>> I attached the resource, please when you have time take a look at it.
>>>
>>> JASON
>>>
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141203/1148c399/attachment.htm>

From ivan.noris at evolveum.com  Thu Dec  4 08:59:22 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 08:59:22 +0100
Subject: [midPoint] DBTable - Users in Midpoint already exist in database
In-Reply-To: <CAFkZXY7u83TjJv38UHh5RJ2Rq4yVv2tsy=5nGJCNWQhKKjs2pA@mail.gmail.com>
References: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>
 <CAFkZXY4nar+d_EpzNARb8d+YfHJ6Z=Uu-VVzDu8cszTp+33A+w@mail.gmail.com>
 <CAFkZXY4KTVa1OLYgQD8yDBB-y+LZvwOXHzn9R=_m3M8PRf6rnQ@mail.gmail.com>
 <CAFkZXY7u83TjJv38UHh5RJ2Rq4yVv2tsy=5nGJCNWQhKKjs2pA@mail.gmail.com>
Message-ID: <5480145A.9080809@evolveum.com>

Jason,

yes, the reconciliation task is what you want to correlate the users.

Basically reconciliation and livesync are very similar, they both do the
same thing, correlate resource objects (i.e. accounts) and midPoint
focal objects (i.e. users). The difference is only WHEN do they do it.
The configuration is common for all, it's the <synchronization> part of
the resource.

While reconciliation task is/can be scheduled and will do everything in
one run, Livesync is for immediate synchronization to react to changes
as they are done in the source resource. There is also Import task,
which can be used to initially import data to midPoint from resource,
but basically it's very similar to reconciliation.

https://wiki.evolveum.com/display/midPoint/Synchronization
https://wiki.evolveum.com/display/midPoint/Synchronization+Flavors

One interesting option is to run the reconciliation with "dry-run" flag
enabled. This can be configured in GUI, Server tasks - edit task (or
while creating new task). The "dry-run" will cause midPoint to evaluate
the resource object and to detect the situation (like UNMATCHED,
UNLINKED etc.). The shadow objects will be created, but nothing else
will be changed on resource or in midPoint. This is great for testing
the "sanity" of the correlation rules. For example if you configure
synchronization for resource with many users that you expect to be
linked with existing midPoint users, and you go to "Configuration -
Shadow details" and lookup the resulting situations, if you have 90% of
UNMATCHED accounts, the correlation expression was probably not correct.

In your situation, where you already have existing accounts and users,
but they were not correlated, updating user in midPoint will do the
correlation as well. midPoint will try to do provisioning, it will fail
because the account already exists and if there is <synchronization>
section on the resource, it will try to correlate the just-discovered
(the conflicting) account and synchronize it. If the owner is the same
user as you were trying to provision, it will be linked and that's it.
Otherwise, the discovered account could even cause to add new user in
midPoint.
In case that there was the conflict AND the already existing account
will not correlate to the same user, iteration, if configured, will be
used to ensure that the original request (to provision account for that
user) is satisfied. Without iterator configuration, the request will
fail with "already exists".

There is one more thing you can do, if you're interested. If the DB
Table resource is only to be authoritative and you never want to
update/create/delete anything there from midPoint, you can use
capabilities in resource to disable create/update/delete operations. Any
attempt to execute that operation will then deliberately fail.

. . .
        </schemaHandling>

                <capabilities
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
                        <configured>
                                <cap:create>
                                        <cap:enabled>false</cap:enabled>
                                </cap:create>
                                <cap:update>
                                        <cap:enabled>false</cap:enabled>
                                </cap:update>
                                <cap:delete>
                                        <cap:enabled>false</cap:enabled>
                                </cap:delete>
                        </configured>
                </capabilities>
        <synchronization>
. . .

But it all depends on how much authoritative the resource is and if you
really do not want to update data there.

Regards,
Ivan

On 12/04/2014 01:46 AM, Jason Everling wrote:
> Nevermind! I got it going by using a reconciliation task which linked
> all existing accounts!
>
> JASON
>
> On Wed, Dec 3, 2014 at 5:33 PM, Jason Everling <jeverling at bshp.edu
> <mailto:jeverling at bshp.edu>> wrote:
>
>     Another question, since the accounts already exists in the
>     application database, midpoint will link the accounts only after
>     the resource account is modified. Is there a way to force link
>     existing accounts without having to wait and modify the resource
>     account
>
>     For example:
>
>     John Doe is already in DBTable Resource
>     John Doe is already in Midpoint
>
>     Correlation will match employeeNumber.
>
>     So far, the only way to get midpoint to link the 2 accounts is to
>     modify the account on the resource, in the database table, I
>     modify some attribute then after I save the link is created in
>     Midpoint.
>
>     On Wed, Dec 3, 2014 at 3:15 PM, Jason Everling <jeverling at bshp.edu
>     <mailto:jeverling at bshp.edu>> wrote:
>
>         *wanted to double-check, not wouldn't, was a typo
>
>         On Wed, Dec 3, 2014 at 3:14 PM, Jason Everling
>         <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>
>             I wouldn't to double-check this,
>
>             I setup database table resource but the database already
>             contains all our students/faculty/staff so I DO NOT want
>             midpoint creating accounts on the resource, all
>             push/update information for existing users.
>
>             I tested it and it seems ok, If I update a user in
>             midpoint it will automatically add the resource and link
>             the accounts. Basically all I am wanting to sync or update
>             to this resource is firstname/lastname and password along
>             with some other attributes that I have not yet defined.
>             Works so far but I wanted to make sure that midpoint would
>             not delete or create on this resource, only update if found.
>
>             I attached the resource, please when you have time take a
>             look at it.
>
>             JASON
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/4bb085f3/attachment.htm>

From dnataraj at trilobytesystems.com  Thu Dec  4 09:42:44 2014
From: dnataraj at trilobytesystems.com (Deepak Natarajan)
Date: Thu, 04 Dec 2014 09:42:44 +0100
Subject: [midPoint] addFocus vs addUser reactions.
Message-ID: <54801E84.10701@trilobytesystems.com>


Hi -

Just a general question. Is there any subtle difference between

                <action>
                   
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
                </action>

and

                    <action
ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>


Or is it just the latter just present for backward compatibility with
pre 3.0 verisons of Midpoint?

Thanks!


BR/
-- 
Deepak Natarajan





From ivan.noris at evolveum.com  Thu Dec  4 10:06:21 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 10:06:21 +0100
Subject: [midPoint] addFocus vs addUser reactions.
In-Reply-To: <54801E84.10701@trilobytesystems.com>
References: <54801E84.10701@trilobytesystems.com>
Message-ID: <5480240D.8050304@evolveum.com>

Hi Deepak,

according to
https://github.com/Evolveum/midpoint/blob/master/model/model-impl/src/main/resources/ctx-model.xml
the addUser (and other pre-3.0) actions are now deprecated and used for
backward compability only just as you assumed.

Regards,
Ivan

On 12/04/2014 09:42 AM, Deepak Natarajan wrote:
> Hi -
>
> Just a general question. Is there any subtle difference between
>
>                 <action>
>                    
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
>                 </action>
>
> and
>
>                     <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
>
>
> Or is it just the latter just present for backward compatibility with
> pre 3.0 verisons of Midpoint?
>
> Thanks!
>
>
> BR/

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."



From dharm.parakh at gmail.com  Thu Dec  4 10:28:32 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Thu, 4 Dec 2014 14:58:32 +0530
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>
Message-ID: <CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>

HI

Is there any out of the box configuration to achieve it or i have to write
a connector?

Waiting for response..

Regards
Dharmendra

On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh <dharm.parakh at gmail.com>
wrote:

> Hi
>
> I was playing around the ldap connector bundled witth midpoint, It works
> well for creating user accounts and user group assignment.
>
> I want to create ldap group, Is it possible using the same connector to
> provision ldap group on target ldap resource. basically a
> groupOfUniqueNames or a posixGroup.
>
> If possible please point me to the documentation which i can refer and
> configure it.
>
>
> Thanks
> Dharmendra Parakh
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/2bd0047d/attachment.htm>

From ivan.noris at evolveum.com  Thu Dec  4 10:37:27 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 10:37:27 +0100
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>
 <CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>
Message-ID: <54802B57.1090207@evolveum.com>

Hi,

you don't need new connector to create LDAP groups. Just configuration
in midPoint: new schemaHandling <objectType> and corresponding
<synchronization><objectType> parts for kind=entitlement and intent=group.

For example you may check the sample:
samples/reosurces/opendj/opendj-resource-genericsync.xml to see how it
can be configured.

After you have this configured, you can create a role which will
construct the kind=entitlement,intent=group object on the LDAP resource.

Then you assign such role to either organization or role in midpoint and
it will provision corresponding group to LDAP.

Please refer also to:
https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization

Regards,
Ivan

On 12/04/2014 10:28 AM, dharmendra parakh wrote:
> HI
>
> Is there any out of the box configuration to achieve it or i have to
> write a connector?
>
> Waiting for response..
>
> Regards
> Dharmendra
>
> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh
> <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>> wrote:
>
>     Hi
>
>     I was playing around the ldap connector bundled witth midpoint, It
>     works well for creating user accounts and user group assignment. 
>
>     I want to create ldap group, Is it possible using the same
>     connector to provision ldap group on target ldap resource.
>     basically a groupOfUniqueNames or a posixGroup.
>
>     If possible please point me to the documentation which i can refer
>     and configure it.
>
>
>     Thanks
>     Dharmendra Parakh
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/bd4f0000/attachment.htm>

From dharm.parakh at gmail.com  Thu Dec  4 11:46:37 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Thu, 4 Dec 2014 16:16:37 +0530
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <54802B57.1090207@evolveum.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>
 <CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>
 <54802B57.1090207@evolveum.com>
Message-ID: <CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>

Hi Ivan

Thanks for the information. I have this already configured in my LDAP
resource.

I gone through all these documents and then i tried to implement the same
synchronization techinique.

So I created a role MetaRole and added LDAP resource as an inducement (I
did not filled any information in resource form)
Then i created another role and when i try to add that MetaRole as
assignment to this role i am getting an error saying :

Couldn't add object. Schema violation: Schema violation during processing
shadow: shadow: null (OID:null): Schema violation:
javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
object class 'inetOrgPerson' requires attribute 'sn']

I am confused why it is trying to create inetOrgPerson object instead of
groupOfNames.

Is it a configuration issue or i am doing something wrong, Can you help me
figuring this out. My resource configuration is attached just for your
reference,


Regards
Dharmendra


On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi,
>
> you don't need new connector to create LDAP groups. Just configuration in
> midPoint: new schemaHandling <objectType> and corresponding
> <synchronization><objectType> parts for kind=entitlement and intent=group.
>
> For example you may check the sample:
> samples/reosurces/opendj/opendj-resource-genericsync.xml to see how it can
> be configured.
>
> After you have this configured, you can create a role which will construct
> the kind=entitlement,intent=group object on the LDAP resource.
>
> Then you assign such role to either organization or role in midpoint and
> it will provision corresponding group to LDAP.
>
> Please refer also to:
> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>
> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>
> Regards,
> Ivan
>
>
> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>
> HI
>
>  Is there any out of the box configuration to achieve it or i have to
> write a connector?
>
>  Waiting for response..
>
>  Regards
> Dharmendra
>
> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh <dharm.parakh at gmail.com>
> wrote:
>
>> Hi
>>
>>  I was playing around the ldap connector bundled witth midpoint, It
>> works well for creating user accounts and user group assignment.
>>
>>  I want to create ldap group, Is it possible using the same connector to
>> provision ldap group on target ldap resource. basically a
>> groupOfUniqueNames or a posixGroup.
>>
>>  If possible please point me to the documentation which i can refer and
>> configure it.
>>
>>
>>  Thanks
>>  Dharmendra Parakh
>>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/8d0b2977/attachment.htm>
-------------- next part --------------
   <schemaHandling>
      <objectType>
         <kind>account</kind>
         <displayName>Normal Account</displayName>
         <default>true</default>
         <objectClass xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:AccountObjectClass</objectClass>
         <attribute>
            <ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</ref>
            <displayName>Distinguished Name</displayName>
            <limitations>
               <minOccurs>0</minOccurs>
               <access>
                  <read>true</read>
                  <add>true</add>
                  <modify>true</modify>
               </access>
            </limitations>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/name</c:path>
               </source>
               <expression>
                  <script>
                     <code>
 								'uid=' + name + iterationToken + ',ou=people,dc=example,dc=com'
 							</code>
                  </script>
               </expression>
            </outbound>
         </attribute>
         <attribute>
            <ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:uid</ref>
            <displayName>Entry UUID</displayName>
            <limitations>
               <access>
                  <read>true</read>
                  <add>false</add>
                  <modify>true</modify>
               </access>
            </limitations>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</ref>
            <displayName>Common Name</displayName>
            <limitations>
               <minOccurs>0</minOccurs>
               <access>
                  <read>true</read>
                  <add>true</add>
                  <modify>true</modify>
               </access>
            </limitations>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/fullName</c:path>
               </source>
            </outbound>
            <inbound>
               <target>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/fullName</c:path>
               </target>
            </inbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:sn</ref>
            <displayName>Surname</displayName>
            <limitations>
               <minOccurs>0</minOccurs>
            </limitations>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">familyName</c:path>
               </source>
            </outbound>
            <inbound>
               <target>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">familyName</c:path>
               </target>
            </inbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:givenName</ref>
            <displayName>Given Name</displayName>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
               </source>
            </outbound>
            <inbound>
               <target>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
               </target>
            </inbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:uid</ref>
            <displayName>Login Name</displayName>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <outbound>
               <strength>weak</strength>
               <source>
                  <description>Source may have description</description>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/name</c:path>
               </source>
            </outbound>
            <inbound>
               <target>
                  <description>Targets may have description</description>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:name</c:path>
               </target>
            </inbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</ref>
            <outbound>
               <strength>weak</strength>
               <expression>
                  <description>Expression that assigns a fixed value</description>
                  <value>Created by midPoint</value>
               </expression>
            </outbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:l</ref>
            <displayName>Location</displayName>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/locality</c:path>
               </source>
            </outbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:employeeType</ref>
            <displayName>Employee Type</displayName>
            <tolerant>false</tolerant>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/employeeType</c:path>
               </source>
            </outbound>
         </attribute>
         <association>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</ref>
            <displayName>LDAP Group Membership</displayName>
            <kind>entitlement</kind>
            <intent>ldapGroup</intent>
            <direction>objectToSubject</direction>
            <associationAttribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:member</associationAttribute>
            <valueAttribute xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</valueAttribute>
         </association>
         <iteration>
            <maxIterations>5</maxIterations>
         </iteration>
         <protected>
            <icfs:name xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">cn=manager,dc=example,dc=com</icfs:name>
         </protected>
         <activation>
            <administrativeStatus>
               <outbound/>
               <inbound>
                  <strength>weak</strength>
                  <expression>
                     <asIs/>
                  </expression>
               </inbound>
            </administrativeStatus>
         </activation>
         <credentials>
            <password>
               <outbound>
                  <expression>
                     <asIs/>
                  </expression>
               </outbound>
               <inbound>
                  <strength>weak</strength>
                  <expression>
                     <generate/>
                  </expression>
               </inbound>
            </password>
         </credentials>
      </objectType>
      <objectType>
         <kind>entitlement</kind>
         <intent>ldapGroup</intent>
         <displayName>LDAP Group</displayName>
         <objectClass xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:CustomgroupOfNamesObjectClass</objectClass>
         <attribute>
            <ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</ref>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$focus/name</c:path>
               </source>
               <expression>
                  <script>
                     <code>
 								import javax.naming.ldap.Rdn
 								import javax.naming.ldap.LdapName
 								
 								dn = new LdapName('ou=groups,dc=example,dc=com')
 								dn.add(new Rdn('cn', name.toString()))
 								return dn.toString()
 							</code>
                  </script>
               </expression>
            </outbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:member</ref>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</ref>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <outbound>
               <strength>weak</strength>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$focus/name</c:path>
               </source>
            </outbound>
         </attribute>
         <attribute>
            <ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</ref>
            <outbound>
               <source>
                  <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">description</c:path>
               </source>
            </outbound>
         </attribute>
      </objectType>
   </schemaHandling>

From ivan.noris at evolveum.com  Thu Dec  4 11:59:43 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 11:59:43 +0100
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>	<CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>	<54802B57.1090207@evolveum.com>
 <CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>
Message-ID: <54803E9F.10507@evolveum.com>

Hi Dharmendra,

this is my sample role for organization (or a fragment of it), which I
assign to the organizations in midPoint. This role will cause
provisioning to LDAP:

<role oid="00000000-dc00-dc00-0004-000000000010"
        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
        xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
    <name>Role for org. structure replication to directory</name>
   
. . .
    <inducement>
        <construction>
                <resourceRef oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/>
               *<kind>entitlement</kind>**
**             <intent>billing-group</intent>*
        </construction>
    </inducement>
. . .

This means, that I have to have resource (my oid is
"00000000-dc00-dc00-0001-100000000002"), where I have defined:
<schemaHandling>
. . .
        <objectType>
            *<kind>entitlement</kind>**
**            <intent>billing-group</intent>*
            <displayName>Group for billing</displayName>
            <default>false</default>
            *<objectClass>ri:GroupObjectClass</objectClass>*
            <attribute>
                <ref>icfs:name</ref> <!-- required attribute on AD -->
                <matchingRule>mr:stringIgnoreCase</matchingRule>
                <outbound>
. . .
rest of outbounds needed for group attributes here
. . .

So, if *role gets assigned to my organization in midPoint (Edit
organization, and add the role to Assignments, not inducements)*, it
will construct object of type entitlement, kind of billing-group. The
schemaHandling associates entitlement/kind with
objectClass=GroupObjectClass. So provisioning will create group, not
account. The attributes for the group are based on your schema handling
expressions for the entitlement/billing-group.

If the role does not specify kind/intent, defaults are used
(kind=account, intent=default). So this may cause creating accounts
instead of groups ...

If everything works, you may have the role automatically assigned to all
organizations in midPoint as they are created. But I will do this only
if everything works, because it's easier to debug.

Hope this helps,
regards,
Ivan


On 12/04/2014 11:46 AM, dharmendra parakh wrote:
> Hi Ivan 
>
> Thanks for the information. I have this already configured in my LDAP
> resource.
>
> I gone through all these documents and then i tried to implement the
> same synchronization techinique.
>
> So I created a role MetaRole and added LDAP resource as an inducement
> (I did not filled any information in resource form)
> Then i created another role and when i try to add that MetaRole as
> assignment to this role i am getting an error saying :
>
> Couldn't add object. Schema violation: Schema violation during
> processing shadow: shadow: null (OID:null): Schema violation:
> javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
> object class 'inetOrgPerson' requires attribute 'sn']
>
> I am confused why it is trying to create inetOrgPerson object instead
> of groupOfNames.
>
> Is it a configuration issue or i am doing something wrong, Can you
> help me figuring this out. My resource configuration is attached just
> for your reference, 
>
>
> Regards
> Dharmendra
>
>
> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi,
>
>     you don't need new connector to create LDAP groups. Just
>     configuration in midPoint: new schemaHandling <objectType> and
>     corresponding <synchronization><objectType> parts for
>     kind=entitlement and intent=group.
>
>     For example you may check the sample:
>     samples/reosurces/opendj/opendj-resource-genericsync.xml to see
>     how it can be configured.
>
>     After you have this configured, you can create a role which will
>     construct the kind=entitlement,intent=group object on the LDAP
>     resource.
>
>     Then you assign such role to either organization or role in
>     midpoint and it will provision corresponding group to LDAP.
>
>     Please refer also to:
>     https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>     https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>     https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>
>     Regards,
>     Ivan
>
>
>     On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>     HI
>>
>>     Is there any out of the box configuration to achieve it or i have
>>     to write a connector?
>>
>>     Waiting for response..
>>
>>     Regards
>>     Dharmendra
>>
>>     On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh
>>     <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>> wrote:
>>
>>         Hi
>>
>>         I was playing around the ldap connector bundled witth
>>         midpoint, It works well for creating user accounts and user
>>         group assignment. 
>>
>>         I want to create ldap group, Is it possible using the same
>>         connector to provision ldap group on target ldap resource.
>>         basically a groupOfUniqueNames or a posixGroup.
>>
>>         If possible please point me to the documentation which i can
>>         refer and configure it.
>>
>>
>>         Thanks
>>         Dharmendra Parakh
>>
>>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/a59d0b19/attachment.htm>

From dharm.parakh at gmail.com  Thu Dec  4 13:40:58 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Thu, 4 Dec 2014 18:10:58 +0530
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <54803E9F.10507@evolveum.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>
 <CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>
 <54802B57.1090207@evolveum.com>
 <CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>
 <54803E9F.10507@evolveum.com>
Message-ID: <CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com>

Hi

Thanks for all the information.

I added the resource inducement to the role but kind and indent information
was not added to the role definition so i modified the xml and added

<kind>entitlement</kind>
<intent>ldapGroup</intent>

in inducement construction as per my resource configuration.

Now i assigned my role to organization, it goes and tries to create object
of groupOfNames but operation fails because there was no member added to
group and member is a required attribute in groupOfNames objectclass.
So where we have to add the member dn and how can we do that ?

Regards
Dharmendra



On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Dharmendra,
>
> this is my sample role for organization (or a fragment of it), which I
> assign to the organizations in midPoint. This role will cause provisioning
> to LDAP:
>
> <role oid="00000000-dc00-dc00-0004-000000000010"
>         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>         xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>
>         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
> <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
>     <name>Role for org. structure replication to directory</name>
>
> . . .
>     <inducement>
>         <construction>
>                 <resourceRef oid="00000000-dc00-dc00-0001-100000000002"
> type="c:ResourceType"/>
>                * <kind>entitlement</kind>*
> *             <intent>billing-group</intent>*
>         </construction>
>     </inducement>
> . . .
>
> This means, that I have to have resource (my oid is
> "00000000-dc00-dc00-0001-100000000002"), where I have defined:
> <schemaHandling>
> . . .
>         <objectType>
>             *<kind>entitlement</kind>*
> *            <intent>billing-group</intent>*
>             <displayName>Group for billing</displayName>
>             <default>false</default>
>             *<objectClass>ri:GroupObjectClass</objectClass>*
>             <attribute>
>                 <ref>icfs:name</ref> <!-- required attribute on AD -->
>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>                 <outbound>
> . . .
> rest of outbounds needed for group attributes here
> . . .
>
> So, if *role gets assigned to my organization in midPoint (Edit
> organization, and add the role to Assignments, not inducements)*, it will
> construct object of type entitlement, kind of billing-group. The
> schemaHandling associates entitlement/kind with
> objectClass=GroupObjectClass. So provisioning will create group, not
> account. The attributes for the group are based on your schema handling
> expressions for the entitlement/billing-group.
>
> If the role does not specify kind/intent, defaults are used (kind=account,
> intent=default). So this may cause creating accounts instead of groups ...
>
> If everything works, you may have the role automatically assigned to all
> organizations in midPoint as they are created. But I will do this only if
> everything works, because it's easier to debug.
>
> Hope this helps,
> regards,
> Ivan
>
>
>
> On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>
> Hi Ivan
>
>  Thanks for the information. I have this already configured in my LDAP
> resource.
>
>  I gone through all these documents and then i tried to implement the
> same synchronization techinique.
>
>  So I created a role MetaRole and added LDAP resource as an inducement (I
> did not filled any information in resource form)
> Then i created another role and when i try to add that MetaRole as
> assignment to this role i am getting an error saying :
>
>  Couldn't add object. Schema violation: Schema violation during
> processing shadow: shadow: null (OID:null): Schema violation:
> javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
> object class 'inetOrgPerson' requires attribute 'sn']
>
>  I am confused why it is trying to create inetOrgPerson object instead of
> groupOfNames.
>
>  Is it a configuration issue or i am doing something wrong, Can you help
> me figuring this out. My resource configuration is attached just for your
> reference,
>
>
>  Regards
> Dharmendra
>
>
> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi,
>>
>> you don't need new connector to create LDAP groups. Just configuration in
>> midPoint: new schemaHandling <objectType> and corresponding
>> <synchronization><objectType> parts for kind=entitlement and intent=group.
>>
>> For example you may check the sample:
>> samples/reosurces/opendj/opendj-resource-genericsync.xml to see how it can
>> be configured.
>>
>> After you have this configured, you can create a role which will
>> construct the kind=entitlement,intent=group object on the LDAP resource.
>>
>> Then you assign such role to either organization or role in midpoint and
>> it will provision corresponding group to LDAP.
>>
>> Please refer also to:
>> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>>
>> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>
>>  HI
>>
>>  Is there any out of the box configuration to achieve it or i have to
>> write a connector?
>>
>>  Waiting for response..
>>
>>  Regards
>> Dharmendra
>>
>> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh <dharm.parakh at gmail.com
>> > wrote:
>>
>>> Hi
>>>
>>>  I was playing around the ldap connector bundled witth midpoint, It
>>> works well for creating user accounts and user group assignment.
>>>
>>>  I want to create ldap group, Is it possible using the same connector
>>> to provision ldap group on target ldap resource. basically a
>>> groupOfUniqueNames or a posixGroup.
>>>
>>>  If possible please point me to the documentation which i can refer and
>>> configure it.
>>>
>>>
>>>  Thanks
>>>  Dharmendra Parakh
>>>
>>
>>
>>
>>  _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/e6acb92c/attachment.htm>

From ivan.noris at evolveum.com  Thu Dec  4 14:00:48 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 14:00:48 +0100
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>	<CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>	<54802B57.1090207@evolveum.com>	<CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>	<54803E9F.10507@evolveum.com>
 <CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com>
Message-ID: <54805B00.5060107@evolveum.com>

Hi,

defining kind/intent is now not possible in GUI, only in XML. This will
be enhanced in the near future.

Can you send the resource? Thank you.

I.

On 12/04/2014 01:40 PM, dharmendra parakh wrote:
> Hi
>
> Thanks for all the information.
>
> I added the resource inducement to the role but kind and indent
> information was not added to the role definition so i modified the xml
> and added 
>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
>
> in inducement construction as per my resource configuration.
>
> Now i assigned my role to organization, it goes and tries to create
> object of groupOfNames but operation fails because there was no member
> added to group and member is a required attribute in groupOfNames
> objectclass.
> So where we have to add the member dn and how can we do that ?
>
> Regards
> Dharmendra
>
>
>
> On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Dharmendra,
>
>     this is my sample role for organization (or a fragment of it),
>     which I assign to the organizations in midPoint. This role will
>     cause provisioning to LDAP:
>
>     <role oid="00000000-dc00-dc00-0004-000000000010"
>            
>     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>            
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>             xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>     <http://prism.evolveum.com/xml/ns/public/types-3>
>            
>     xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
>     <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
>         <name>Role for org. structure replication to directory</name>
>        
>     . . .
>         <inducement>
>             <construction>
>                     <resourceRef
>     oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
>                    *<kind>entitlement</kind>**
>     **             <intent>billing-group</intent>*
>             </construction>
>         </inducement>
>     . . .
>
>     This means, that I have to have resource (my oid is
>     "00000000-dc00-dc00-0001-100000000002"), where I have defined:
>     <schemaHandling>
>     . . .
>             <objectType>
>                 *<kind>entitlement</kind>**
>     **            <intent>billing-group</intent>*
>                 <displayName>Group for billing</displayName>
>                 <default>false</default>
>                 *<objectClass>ri:GroupObjectClass</objectClass>*
>                 <attribute>
>                     <ref>icfs:name</ref> <!-- required attribute on AD -->
>                     <matchingRule>mr:stringIgnoreCase</matchingRule>
>                     <outbound>
>     . . .
>     rest of outbounds needed for group attributes here
>     . . .
>
>     So, if *role gets assigned to my organization in midPoint (Edit
>     organization, and add the role to Assignments, not inducements)*,
>     it will construct object of type entitlement, kind of
>     billing-group. The schemaHandling associates entitlement/kind with
>     objectClass=GroupObjectClass. So provisioning will create group,
>     not account. The attributes for the group are based on your schema
>     handling expressions for the entitlement/billing-group.
>
>     If the role does not specify kind/intent, defaults are used
>     (kind=account, intent=default). So this may cause creating
>     accounts instead of groups ...
>
>     If everything works, you may have the role automatically assigned
>     to all organizations in midPoint as they are created. But I will
>     do this only if everything works, because it's easier to debug.
>
>     Hope this helps,
>     regards,
>     Ivan
>
>
>
>     On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>>     Hi Ivan 
>>
>>     Thanks for the information. I have this already configured in my
>>     LDAP resource.
>>
>>     I gone through all these documents and then i tried to implement
>>     the same synchronization techinique.
>>
>>     So I created a role MetaRole and added LDAP resource as an
>>     inducement (I did not filled any information in resource form)
>>     Then i created another role and when i try to add that MetaRole
>>     as assignment to this role i am getting an error saying :
>>
>>     Couldn't add object. Schema violation: Schema violation during
>>     processing shadow: shadow: null (OID:null): Schema violation:
>>     javax.naming.directory.SchemaViolationException([LDAP: error code
>>     65 - object class 'inetOrgPerson' requires attribute 'sn']
>>
>>     I am confused why it is trying to create inetOrgPerson object
>>     instead of groupOfNames.
>>
>>     Is it a configuration issue or i am doing something wrong, Can
>>     you help me figuring this out. My resource configuration is
>>     attached just for your reference, 
>>
>>
>>     Regards
>>     Dharmendra
>>
>>
>>     On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Hi,
>>
>>         you don't need new connector to create LDAP groups. Just
>>         configuration in midPoint: new schemaHandling <objectType>
>>         and corresponding <synchronization><objectType> parts for
>>         kind=entitlement and intent=group.
>>
>>         For example you may check the sample:
>>         samples/reosurces/opendj/opendj-resource-genericsync.xml to
>>         see how it can be configured.
>>
>>         After you have this configured, you can create a role which
>>         will construct the kind=entitlement,intent=group object on
>>         the LDAP resource.
>>
>>         Then you assign such role to either organization or role in
>>         midpoint and it will provision corresponding group to LDAP.
>>
>>         Please refer also to:
>>         https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>>         https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>>         https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>
>>         Regards,
>>         Ivan
>>
>>
>>         On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>>         HI
>>>
>>>         Is there any out of the box configuration to achieve it or i
>>>         have to write a connector?
>>>
>>>         Waiting for response..
>>>
>>>         Regards
>>>         Dharmendra
>>>
>>>         On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh
>>>         <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>> wrote:
>>>
>>>             Hi
>>>
>>>             I was playing around the ldap connector bundled witth
>>>             midpoint, It works well for creating user accounts and
>>>             user group assignment. 
>>>
>>>             I want to create ldap group, Is it possible using the
>>>             same connector to provision ldap group on target ldap
>>>             resource. basically a groupOfUniqueNames or a posixGroup.
>>>
>>>             If possible please point me to the documentation which i
>>>             can refer and configure it.
>>>
>>>
>>>             Thanks
>>>             Dharmendra Parakh
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/2f70b9be/attachment.htm>

From dharm.parakh at gmail.com  Thu Dec  4 14:20:57 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Thu, 4 Dec 2014 18:50:57 +0530
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>
 <CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>
 <54802B57.1090207@evolveum.com>
 <CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>
 <54803E9F.10507@evolveum.com>
 <CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com>
Message-ID: <CAKvVWqyoqYnt2m-jNUusYY5LtTiFtzrtfTn-T59AHq4KHvmcNg@mail.gmail.com>

Hi Ivan

I figured it out, i modified my role definition and added member attribute
to it, for example:

<inducement id="1">
      <construction>
         <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874"
type="ResourceType"/>
         <kind>entitlement</kind>
         <intent>ldapGroup</intent>
         <attribute>
            <ref>ri:member</ref>
            <outbound>
               <expression>
                  <value>uid=jodoe,dc=example,dc=com</value>
               </expression>
            </outbound>
         </attribute>
      </construction>
   </inducement>

Now when i assign this role to any other role or organization it creates a
ldap group with that role/organization name.


Now i have few questions:

Q. Is it the right way to add member attribute ?

Q. To make the role of kind "entitlement" do we always have to update the
xml to add kind, intent and member information?

Q.  When i make any changes like i changed the role name then the member
information was gone from my role. Is it an issue or we cannot change this?

Q. What all types of group are supported with this ldap connector like
groupOfUniqueNames and PosixGroup?




Thanks
Dharmendra




On Thu, Dec 4, 2014 at 6:10 PM, dharmendra parakh <dharm.parakh at gmail.com>
wrote:

> Hi
>
> Thanks for all the information.
>
> I added the resource inducement to the role but kind and indent
> information was not added to the role definition so i modified the xml and
> added
>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
>
> in inducement construction as per my resource configuration.
>
> Now i assigned my role to organization, it goes and tries to create object
> of groupOfNames but operation fails because there was no member added to
> group and member is a required attribute in groupOfNames objectclass.
> So where we have to add the member dn and how can we do that ?
>
> Regards
> Dharmendra
>
>
>
> On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Dharmendra,
>>
>> this is my sample role for organization (or a fragment of it), which I
>> assign to the organizations in midPoint. This role will cause provisioning
>> to LDAP:
>>
>> <role oid="00000000-dc00-dc00-0004-000000000010"
>>         xmlns=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>         xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> <http://prism.evolveum.com/xml/ns/public/types-3>
>>         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
>> <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
>>     <name>Role for org. structure replication to directory</name>
>>
>> . . .
>>     <inducement>
>>         <construction>
>>                 <resourceRef oid="00000000-dc00-dc00-0001-100000000002"
>> type="c:ResourceType"/>
>>                * <kind>entitlement</kind>*
>> *             <intent>billing-group</intent>*
>>         </construction>
>>     </inducement>
>> . . .
>>
>> This means, that I have to have resource (my oid is
>> "00000000-dc00-dc00-0001-100000000002"), where I have defined:
>> <schemaHandling>
>> . . .
>>         <objectType>
>>             *<kind>entitlement</kind>*
>> *            <intent>billing-group</intent>*
>>             <displayName>Group for billing</displayName>
>>             <default>false</default>
>>             *<objectClass>ri:GroupObjectClass</objectClass>*
>>             <attribute>
>>                 <ref>icfs:name</ref> <!-- required attribute on AD -->
>>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>>                 <outbound>
>> . . .
>> rest of outbounds needed for group attributes here
>> . . .
>>
>> So, if *role gets assigned to my organization in midPoint (Edit
>> organization, and add the role to Assignments, not inducements)*, it
>> will construct object of type entitlement, kind of billing-group. The
>> schemaHandling associates entitlement/kind with
>> objectClass=GroupObjectClass. So provisioning will create group, not
>> account. The attributes for the group are based on your schema handling
>> expressions for the entitlement/billing-group.
>>
>> If the role does not specify kind/intent, defaults are used
>> (kind=account, intent=default). So this may cause creating accounts instead
>> of groups ...
>>
>> If everything works, you may have the role automatically assigned to all
>> organizations in midPoint as they are created. But I will do this only if
>> everything works, because it's easier to debug.
>>
>> Hope this helps,
>> regards,
>> Ivan
>>
>>
>>
>> On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>>
>> Hi Ivan
>>
>>  Thanks for the information. I have this already configured in my LDAP
>> resource.
>>
>>  I gone through all these documents and then i tried to implement the
>> same synchronization techinique.
>>
>>  So I created a role MetaRole and added LDAP resource as an inducement
>> (I did not filled any information in resource form)
>> Then i created another role and when i try to add that MetaRole as
>> assignment to this role i am getting an error saying :
>>
>>  Couldn't add object. Schema violation: Schema violation during
>> processing shadow: shadow: null (OID:null): Schema violation:
>> javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
>> object class 'inetOrgPerson' requires attribute 'sn']
>>
>>  I am confused why it is trying to create inetOrgPerson object instead
>> of groupOfNames.
>>
>>  Is it a configuration issue or i am doing something wrong, Can you help
>> me figuring this out. My resource configuration is attached just for your
>> reference,
>>
>>
>>  Regards
>> Dharmendra
>>
>>
>> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi,
>>>
>>> you don't need new connector to create LDAP groups. Just configuration
>>> in midPoint: new schemaHandling <objectType> and corresponding
>>> <synchronization><objectType> parts for kind=entitlement and intent=group.
>>>
>>> For example you may check the sample:
>>> samples/reosurces/opendj/opendj-resource-genericsync.xml to see how it can
>>> be configured.
>>>
>>> After you have this configured, you can create a role which will
>>> construct the kind=entitlement,intent=group object on the LDAP resource.
>>>
>>> Then you assign such role to either organization or role in midpoint and
>>> it will provision corresponding group to LDAP.
>>>
>>> Please refer also to:
>>> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>>>
>>> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>>
>>>  HI
>>>
>>>  Is there any out of the box configuration to achieve it or i have to
>>> write a connector?
>>>
>>>  Waiting for response..
>>>
>>>  Regards
>>> Dharmendra
>>>
>>> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh <
>>> dharm.parakh at gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>>  I was playing around the ldap connector bundled witth midpoint, It
>>>> works well for creating user accounts and user group assignment.
>>>>
>>>>  I want to create ldap group, Is it possible using the same connector
>>>> to provision ldap group on target ldap resource. basically a
>>>> groupOfUniqueNames or a posixGroup.
>>>>
>>>>  If possible please point me to the documentation which i can refer
>>>> and configure it.
>>>>
>>>>
>>>>  Thanks
>>>>  Dharmendra Parakh
>>>>
>>>
>>>
>>>
>>>  _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/e4121cb4/attachment.htm>

From ivan.noris at evolveum.com  Thu Dec  4 14:39:13 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 14:39:13 +0100
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <CAKvVWqyoqYnt2m-jNUusYY5LtTiFtzrtfTn-T59AHq4KHvmcNg@mail.gmail.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>	<CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>	<54802B57.1090207@evolveum.com>	<CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>	<54803E9F.10507@evolveum.com>	<CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com>
 <CAKvVWqyoqYnt2m-jNUusYY5LtTiFtzrtfTn-T59AHq4KHvmcNg@mail.gmail.com>
Message-ID: <54806401.8040406@evolveum.com>

Hi Dharmendra,

your fix is ok, but it means that every group created by you will have
this member...

Anyway, I'd like to see the resource configuration, because in my
deployments on LDAP I must have been using another group type - as I
never needed to put member there.

See answers below:

On 12/04/2014 02:20 PM, dharmendra parakh wrote:
> Hi Ivan
>
> I figured it out, i modified my role definition and added member
> attribute to it, for example:
>
> <inducement id="1">
>       <construction>
>          <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874"
> type="ResourceType"/>
>          <kind>entitlement</kind>
>          <intent>ldapGroup</intent>
>          <attribute>
>             <ref>ri:member</ref>
>             <outbound>
>                <expression>
>                   <value>uid=jodoe,dc=example,dc=com</value>
>                </expression>
>             </outbound>
>          </attribute>
>       </construction>
>    </inducement>
>
> Now when i assign this role to any other role or organization it
> creates a ldap group with that role/organization name.
>
>
> Now i have few questions:
>
> Q. Is it the right way to add member attribute ?

I doubt so. I could create groups without this mandatory member.
What directory server are you using? I was testing on OpenDJ.

>
> Q. To make the role of kind "entitlement" do we always have to update
> the xml to add kind, intent and member information?
>
Only when you create the role, which has construction for something
other than default account. As I said, this will be enhanced.


> Q.  When i make any changes like i changed the role name then the
> member information was gone from my role. Is it an issue or we cannot
> change this?

This seems to be a bug. Changing role name is definitely ok. I would set
the member in schema handling in the resource though.

>
> Q. What all types of group are supported with this ldap connector like
> groupOfUniqueNames and PosixGroup?

Everything what is in the schema fetched from the resource.

You can go to Configuration - Repository objects - Resource - open your
LDAP resource and check the contents of <schema>..</schema>. That are
all types that can be provisioned.

I.

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."



From ivan.noris at evolveum.com  Thu Dec  4 15:07:25 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 15:07:25 +0100
Subject: [midPoint] LDAP Group Creation
In-Reply-To: <CAKvVWqyoqYnt2m-jNUusYY5LtTiFtzrtfTn-T59AHq4KHvmcNg@mail.gmail.com>
References: <CAKvVWqy_ROwdq0Qv5JPfhg9H7-vuiBT91Hd3=mZg=rYY8dhMRw@mail.gmail.com>	<CAKvVWqwrUgZ5RdpGbMW-svG0cT3F71fVjQnfwEJVhApLKNE2Tw@mail.gmail.com>	<54802B57.1090207@evolveum.com>	<CAKvVWqwvDNNFBe5AsCAXc08OjRKE6Q26EWLafV3CN+va-ExwKw@mail.gmail.com>	<54803E9F.10507@evolveum.com>	<CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com>
 <CAKvVWqyoqYnt2m-jNUusYY5LtTiFtzrtfTn-T59AHq4KHvmcNg@mail.gmail.com>
Message-ID: <54806A9D.7070706@evolveum.com>

OK, so now I know...

Seems you are using OpenLDAP... and its GroupOfNames objectClass
requires having at least one member of any group.

So there are basically 3 options:
1) having one static (dummy) member in each group - which probably you
have even now before you tried to test midPoint
2) modification of schema in OpenLDAP
3) another directory server

>From these options, 1) seems to be the fastest and with no collateral
damage.

So the mapping you have for ri:member can be either in the role or in
the resource schemaHandling for this kind/intent combination.

>From your schema I see that the following can be used:
- CustomposixGroupObjectClass (corresponding to LDAP's posixGroup) with
memberUid attribute
- GroupObjectClass (corresponding perhaps to GroupOfUniqueNames?
connector hides this as __GROUP__) with
- CustomGroupOfNamesObjectClass (corresponding to LDAP's groupOfNames)
with member attribute - this is what you use now

If you need to create groups of more than one type, you need to extend
your resource configuration (almost copy/paste from what you have now
for CustomGroupOfNamesObjectClass, but with different objectClass, and
intent. The kind will be entitlement for all of them.

Regards,
Ivan

On 12/04/2014 02:20 PM, dharmendra parakh wrote:
> Hi Ivan
>
> I figured it out, i modified my role definition and added member
> attribute to it, for example:
>
> <inducement id="1">
>       <construction>
>          <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874"
> type="ResourceType"/>
>          <kind>entitlement</kind>
>          <intent>ldapGroup</intent>
>          <attribute>
>             <ref>ri:member</ref>
>             <outbound>
>                <expression>
>                   <value>uid=jodoe,dc=example,dc=com</value>
>                </expression>
>             </outbound>
>          </attribute>
>       </construction>
>    </inducement>
>
> Now when i assign this role to any other role or organization it
> creates a ldap group with that role/organization name.
>
>
> Now i have few questions:
>
> Q. Is it the right way to add member attribute ?
>
> Q. To make the role of kind "entitlement" do we always have to update
> the xml to add kind, intent and member information?
>
> Q.  When i make any changes like i changed the role name then the
> member information was gone from my role. Is it an issue or we cannot
> change this?
>
> Q. What all types of group are supported with this ldap connector like
> groupOfUniqueNames and PosixGroup?
>
>
>
>
> Thanks
> Dharmendra
>
>
>
>
> On Thu, Dec 4, 2014 at 6:10 PM, dharmendra parakh
> <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>> wrote:
>
>     Hi
>
>     Thanks for all the information.
>
>     I added the resource inducement to the role but kind and indent
>     information was not added to the role definition so i modified the
>     xml and added 
>
>     <kind>entitlement</kind>
>     <intent>ldapGroup</intent>
>
>     in inducement construction as per my resource configuration.
>
>     Now i assigned my role to organization, it goes and tries to
>     create object of groupOfNames but operation fails because there
>     was no member added to group and member is a required attribute in
>     groupOfNames objectclass.
>     So where we have to add the member dn and how can we do that ?
>
>     Regards
>     Dharmendra
>
>
>
>     On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris
>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
>         Hi Dharmendra,
>
>         this is my sample role for organization (or a fragment of it),
>         which I assign to the organizations in midPoint. This role
>         will cause provisioning to LDAP:
>
>         <role oid="00000000-dc00-dc00-0004-000000000010"
>                
>         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                
>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                
>         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>         <http://prism.evolveum.com/xml/ns/public/types-3>
>                
>         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
>         <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
>             <name>Role for org. structure replication to directory</name>
>            
>         . . .
>             <inducement>
>                 <construction>
>                         <resourceRef
>         oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
>                        *<kind>entitlement</kind>**
>         **             <intent>billing-group</intent>*
>                 </construction>
>             </inducement>
>         . . .
>
>         This means, that I have to have resource (my oid is
>         "00000000-dc00-dc00-0001-100000000002"), where I have defined:
>         <schemaHandling>
>         . . .
>                 <objectType>
>                     *<kind>entitlement</kind>**
>         **            <intent>billing-group</intent>*
>                     <displayName>Group for billing</displayName>
>                     <default>false</default>
>                     *<objectClass>ri:GroupObjectClass</objectClass>*
>                     <attribute>
>                         <ref>icfs:name</ref> <!-- required attribute
>         on AD -->
>                         <matchingRule>mr:stringIgnoreCase</matchingRule>
>                         <outbound>
>         . . .
>         rest of outbounds needed for group attributes here
>         . . .
>
>         So, if *role gets assigned to my organization in midPoint
>         (Edit organization, and add the role to Assignments, not
>         inducements)*, it will construct object of type entitlement,
>         kind of billing-group. The schemaHandling associates
>         entitlement/kind with objectClass=GroupObjectClass. So
>         provisioning will create group, not account. The attributes
>         for the group are based on your schema handling expressions
>         for the entitlement/billing-group.
>
>         If the role does not specify kind/intent, defaults are used
>         (kind=account, intent=default). So this may cause creating
>         accounts instead of groups ...
>
>         If everything works, you may have the role automatically
>         assigned to all organizations in midPoint as they are created.
>         But I will do this only if everything works, because it's
>         easier to debug.
>
>         Hope this helps,
>         regards,
>         Ivan
>
>
>
>         On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>>         Hi Ivan 
>>
>>         Thanks for the information. I have this already configured in
>>         my LDAP resource.
>>
>>         I gone through all these documents and then i tried to
>>         implement the same synchronization techinique.
>>
>>         So I created a role MetaRole and added LDAP resource as an
>>         inducement (I did not filled any information in resource form)
>>         Then i created another role and when i try to add that
>>         MetaRole as assignment to this role i am getting an error
>>         saying :
>>
>>         Couldn't add object. Schema violation: Schema violation
>>         during processing shadow: shadow: null (OID:null): Schema
>>         violation:
>>         javax.naming.directory.SchemaViolationException([LDAP: error
>>         code 65 - object class 'inetOrgPerson' requires attribute 'sn']
>>
>>         I am confused why it is trying to create inetOrgPerson object
>>         instead of groupOfNames.
>>
>>         Is it a configuration issue or i am doing something wrong,
>>         Can you help me figuring this out. My resource configuration
>>         is attached just for your reference, 
>>
>>
>>         Regards
>>         Dharmendra
>>
>>
>>         On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris
>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>             Hi,
>>
>>             you don't need new connector to create LDAP groups. Just
>>             configuration in midPoint: new schemaHandling
>>             <objectType> and corresponding
>>             <synchronization><objectType> parts for kind=entitlement
>>             and intent=group.
>>
>>             For example you may check the sample:
>>             samples/reosurces/opendj/opendj-resource-genericsync.xml
>>             to see how it can be configured.
>>
>>             After you have this configured, you can create a role
>>             which will construct the kind=entitlement,intent=group
>>             object on the LDAP resource.
>>
>>             Then you assign such role to either organization or role
>>             in midpoint and it will provision corresponding group to
>>             LDAP.
>>
>>             Please refer also to:
>>             https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>>             https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>>             https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>
>>             Regards,
>>             Ivan
>>
>>
>>             On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>>             HI
>>>
>>>             Is there any out of the box configuration to achieve it
>>>             or i have to write a connector?
>>>
>>>             Waiting for response..
>>>
>>>             Regards
>>>             Dharmendra
>>>
>>>             On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh
>>>             <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>>
>>>             wrote:
>>>
>>>                 Hi
>>>
>>>                 I was playing around the ldap connector bundled
>>>                 witth midpoint, It works well for creating user
>>>                 accounts and user group assignment. 
>>>
>>>                 I want to create ldap group, Is it possible using
>>>                 the same connector to provision ldap group on target
>>>                 ldap resource. basically a groupOfUniqueNames or a
>>>                 posixGroup.
>>>
>>>                 If possible please point me to the documentation
>>>                 which i can refer and configure it.
>>>
>>>
>>>                 Thanks
>>>                 Dharmendra Parakh
>>>
>>>
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>             -- 
>>               Ing. Ivan Noris
>>               Senior Identity Management Engineer
>>               evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>               _____________________________________________
>>               "Semper Id(e)M Vix."
>>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>         -- 
>           Ing. Ivan Noris
>           Senior Identity Management Engineer
>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>           _____________________________________________
>           "Semper Id(e)M Vix."
>
>
>

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/97b8c86b/attachment.htm>

From jeverling at bshp.edu  Thu Dec  4 15:22:35 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Thu, 4 Dec 2014 08:22:35 -0600
Subject: [midPoint] DBTable - Users in Midpoint already exist in database
In-Reply-To: <5480145A.9080809@evolveum.com>
References: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>
 <CAFkZXY4nar+d_EpzNARb8d+YfHJ6Z=Uu-VVzDu8cszTp+33A+w@mail.gmail.com>
 <CAFkZXY4KTVa1OLYgQD8yDBB-y+LZvwOXHzn9R=_m3M8PRf6rnQ@mail.gmail.com>
 <CAFkZXY7u83TjJv38UHh5RJ2Rq4yVv2tsy=5nGJCNWQhKKjs2pA@mail.gmail.com>
 <5480145A.9080809@evolveum.com>
Message-ID: <CAFkZXY6-gwzUVMSxqi8TQhOf4hRrnN=pykczrz9pPqCzwDH_Jg@mail.gmail.com>

Thanks for the explanation, very helpful. I think I will add the capability
statements for create and delete, I do want updates. This resource
currently imports users from Active Directory but it is a one time thing
and changes made later to the account in AD are not updated and also
passwords are not sync'd. Having it in midpoint, the password/email
address/ and a few other attributes will be updated as the changes are made
in Midpoint.

I am just now looking at all the other possibilities from just syncing with
our student system!

Thanks Again!
JASON

On Thu, Dec 4, 2014 at 1:59 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> yes, the reconciliation task is what you want to correlate the users.
>
> Basically reconciliation and livesync are very similar, they both do the
> same thing, correlate resource objects (i.e. accounts) and midPoint focal
> objects (i.e. users). The difference is only WHEN do they do it. The
> configuration is common for all, it's the <synchronization> part of the
> resource.
>
> While reconciliation task is/can be scheduled and will do everything in
> one run, Livesync is for immediate synchronization to react to changes as
> they are done in the source resource. There is also Import task, which can
> be used to initially import data to midPoint from resource, but basically
> it's very similar to reconciliation.
>
> https://wiki.evolveum.com/display/midPoint/Synchronization
> https://wiki.evolveum.com/display/midPoint/Synchronization+Flavors
>
> One interesting option is to run the reconciliation with "dry-run" flag
> enabled. This can be configured in GUI, Server tasks - edit task (or while
> creating new task). The "dry-run" will cause midPoint to evaluate the
> resource object and to detect the situation (like UNMATCHED, UNLINKED
> etc.). The shadow objects will be created, but nothing else will be changed
> on resource or in midPoint. This is great for testing the "sanity" of the
> correlation rules. For example if you configure synchronization for
> resource with many users that you expect to be linked with existing
> midPoint users, and you go to "Configuration - Shadow details" and lookup
> the resulting situations, if you have 90% of UNMATCHED accounts, the
> correlation expression was probably not correct.
>
> In your situation, where you already have existing accounts and users, but
> they were not correlated, updating user in midPoint will do the correlation
> as well. midPoint will try to do provisioning, it will fail because the
> account already exists and if there is <synchronization> section on the
> resource, it will try to correlate the just-discovered (the conflicting)
> account and synchronize it. If the owner is the same user as you were
> trying to provision, it will be linked and that's it. Otherwise, the
> discovered account could even cause to add new user in midPoint.
> In case that there was the conflict AND the already existing account will
> not correlate to the same user, iteration, if configured, will be used to
> ensure that the original request (to provision account for that user) is
> satisfied. Without iterator configuration, the request will fail with
> "already exists".
>
> There is one more thing you can do, if you're interested. If the DB Table
> resource is only to be authoritative and you never want to
> update/create/delete anything there from midPoint, you can use capabilities
> in resource to disable create/update/delete operations. Any attempt to
> execute that operation will then deliberately fail.
>
> . . .
>         </schemaHandling>
>
>                 <capabilities xmlns:cap=
> "http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>>
>                         <configured>
>                                 <cap:create>
>                                         <cap:enabled>false</cap:enabled>
>                                 </cap:create>
>                                 <cap:update>
>                                         <cap:enabled>false</cap:enabled>
>                                 </cap:update>
>                                 <cap:delete>
>                                         <cap:enabled>false</cap:enabled>
>                                 </cap:delete>
>                         </configured>
>                 </capabilities>
>         <synchronization>
> . . .
>
> But it all depends on how much authoritative the resource is and if you
> really do not want to update data there.
>
> Regards,
> Ivan
>
>
> On 12/04/2014 01:46 AM, Jason Everling wrote:
>
> Nevermind! I got it going by using a reconciliation task which linked all
> existing accounts!
>
>  JASON
>
> On Wed, Dec 3, 2014 at 5:33 PM, Jason Everling <jeverling at bshp.edu> wrote:
>
>> Another question, since the accounts already exists in the application
>> database, midpoint will link the accounts only after the resource account
>> is modified. Is there a way to force link existing accounts without having
>> to wait and modify the resource account
>>
>>  For example:
>>
>>  John Doe is already in DBTable Resource
>> John Doe is already in Midpoint
>>
>>  Correlation will match employeeNumber.
>>
>>  So far, the only way to get midpoint to link the 2 accounts is to
>> modify the account on the resource, in the database table, I modify some
>> attribute then after I save the link is created in Midpoint.
>>
>> On Wed, Dec 3, 2014 at 3:15 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> *wanted to double-check, not wouldn't, was a typo
>>>
>>> On Wed, Dec 3, 2014 at 3:14 PM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> I wouldn't to double-check this,
>>>>
>>>>  I setup database table resource but the database already contains all
>>>> our students/faculty/staff so I DO NOT want midpoint creating accounts on
>>>> the resource, all push/update information for existing users.
>>>>
>>>>  I tested it and it seems ok, If I update a user in midpoint it will
>>>> automatically add the resource and link the accounts. Basically all I am
>>>> wanting to sync or update to this resource is firstname/lastname and
>>>> password along with some other attributes that I have not yet defined.
>>>> Works so far but I wanted to make sure that midpoint would not delete or
>>>> create on this resource, only update if found.
>>>>
>>>>  I attached the resource, please when you have time take a look at it.
>>>>
>>>>  JASON
>>>>
>>>
>>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/7bce6f9f/attachment.htm>

From ivan.noris at evolveum.com  Thu Dec  4 15:30:44 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 04 Dec 2014 15:30:44 +0100
Subject: [midPoint] DBTable - Users in Midpoint already exist in database
In-Reply-To: <CAFkZXY6-gwzUVMSxqi8TQhOf4hRrnN=pykczrz9pPqCzwDH_Jg@mail.gmail.com>
References: <CAFkZXY7MMGwKjYWdmB5_z9iu+Bd2b7vnrFphjOcTuzHggMyhsg@mail.gmail.com>
 <CAFkZXY4nar+d_EpzNARb8d+YfHJ6Z=Uu-VVzDu8cszTp+33A+w@mail.gmail.com>
 <CAFkZXY4KTVa1OLYgQD8yDBB-y+LZvwOXHzn9R=_m3M8PRf6rnQ@mail.gmail.com>
 <CAFkZXY7u83TjJv38UHh5RJ2Rq4yVv2tsy=5nGJCNWQhKKjs2pA@mail.gmail.com>
 <5480145A.9080809@evolveum.com>
 <CAFkZXY6-gwzUVMSxqi8TQhOf4hRrnN=pykczrz9pPqCzwDH_Jg@mail.gmail.com>
Message-ID: <54807014.4070704@evolveum.com>

Hi,

having updates enabled, but create/delete disabled is a valid
combination. I have used this during migration/upgrade of rules recently
to push the values generated in midPoint to other systems.

Regards,
Ivan

On 12/04/2014 03:22 PM, Jason Everling wrote:
> Thanks for the explanation, very helpful. I think I will add the
> capability statements for create and delete, I do want updates. This
> resource currently imports users from Active Directory but it is a one
> time thing and changes made later to the account in AD are not updated
> and also passwords are not sync'd. Having it in midpoint, the
> password/email address/ and a few other attributes will be updated as
> the changes are made in Midpoint.
>
> I am just now looking at all the other possibilities from just syncing
> with our student system!
>
> Thanks Again!
> JASON
>
> On Thu, Dec 4, 2014 at 1:59 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason,
>
>     yes, the reconciliation task is what you want to correlate the users.
>
>     Basically reconciliation and livesync are very similar, they both
>     do the same thing, correlate resource objects (i.e. accounts) and
>     midPoint focal objects (i.e. users). The difference is only WHEN
>     do they do it. The configuration is common for all, it's the
>     <synchronization> part of the resource.
>
>     While reconciliation task is/can be scheduled and will do
>     everything in one run, Livesync is for immediate synchronization
>     to react to changes as they are done in the source resource. There
>     is also Import task, which can be used to initially import data to
>     midPoint from resource, but basically it's very similar to
>     reconciliation.
>
>     https://wiki.evolveum.com/display/midPoint/Synchronization
>     https://wiki.evolveum.com/display/midPoint/Synchronization+Flavors
>
>     One interesting option is to run the reconciliation with "dry-run"
>     flag enabled. This can be configured in GUI, Server tasks - edit
>     task (or while creating new task). The "dry-run" will cause
>     midPoint to evaluate the resource object and to detect the
>     situation (like UNMATCHED, UNLINKED etc.). The shadow objects will
>     be created, but nothing else will be changed on resource or in
>     midPoint. This is great for testing the "sanity" of the
>     correlation rules. For example if you configure synchronization
>     for resource with many users that you expect to be linked with
>     existing midPoint users, and you go to "Configuration - Shadow
>     details" and lookup the resulting situations, if you have 90% of
>     UNMATCHED accounts, the correlation expression was probably not
>     correct.
>
>     In your situation, where you already have existing accounts and
>     users, but they were not correlated, updating user in midPoint
>     will do the correlation as well. midPoint will try to do
>     provisioning, it will fail because the account already exists and
>     if there is <synchronization> section on the resource, it will try
>     to correlate the just-discovered (the conflicting) account and
>     synchronize it. If the owner is the same user as you were trying
>     to provision, it will be linked and that's it. Otherwise, the
>     discovered account could even cause to add new user in midPoint.
>     In case that there was the conflict AND the already existing
>     account will not correlate to the same user, iteration, if
>     configured, will be used to ensure that the original request (to
>     provision account for that user) is satisfied. Without iterator
>     configuration, the request will fail with "already exists".
>
>     There is one more thing you can do, if you're interested. If the
>     DB Table resource is only to be authoritative and you never want
>     to update/create/delete anything there from midPoint, you can use
>     capabilities in resource to disable create/update/delete
>     operations. Any attempt to execute that operation will then
>     deliberately fail.
>
>     . . .
>             </schemaHandling>
>
>                     <capabilities
>     xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
>     <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>>
>                             <configured>
>                                     <cap:create>
>                                            
>     <cap:enabled>false</cap:enabled>
>                                     </cap:create>
>                                     <cap:update>
>                                            
>     <cap:enabled>false</cap:enabled>
>                                     </cap:update>
>                                     <cap:delete>
>                                            
>     <cap:enabled>false</cap:enabled>
>                                     </cap:delete>
>                             </configured>
>                     </capabilities>
>             <synchronization>
>     . . .
>
>     But it all depends on how much authoritative the resource is and
>     if you really do not want to update data there.
>
>     Regards,
>     Ivan
>
>
>     On 12/04/2014 01:46 AM, Jason Everling wrote:
>>     Nevermind! I got it going by using a reconciliation task which
>>     linked all existing accounts!
>>
>>     JASON
>>
>>     On Wed, Dec 3, 2014 at 5:33 PM, Jason Everling
>>     <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>
>>         Another question, since the accounts already exists in the
>>         application database, midpoint will link the accounts only
>>         after the resource account is modified. Is there a way to
>>         force link existing accounts without having to wait and
>>         modify the resource account
>>
>>         For example:
>>
>>         John Doe is already in DBTable Resource
>>         John Doe is already in Midpoint
>>
>>         Correlation will match employeeNumber.
>>
>>         So far, the only way to get midpoint to link the 2 accounts
>>         is to modify the account on the resource, in the database
>>         table, I modify some attribute then after I save the link is
>>         created in Midpoint.
>>
>>         On Wed, Dec 3, 2014 at 3:15 PM, Jason Everling
>>         <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>
>>             *wanted to double-check, not wouldn't, was a typo
>>
>>             On Wed, Dec 3, 2014 at 3:14 PM, Jason Everling
>>             <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>
>>                 I wouldn't to double-check this,
>>
>>                 I setup database table resource but the database
>>                 already contains all our students/faculty/staff so I
>>                 DO NOT want midpoint creating accounts on the
>>                 resource, all push/update information for existing users.
>>
>>                 I tested it and it seems ok, If I update a user in
>>                 midpoint it will automatically add the resource and
>>                 link the accounts. Basically all I am wanting to sync
>>                 or update to this resource is firstname/lastname and
>>                 password along with some other attributes that I have
>>                 not yet defined. Works so far but I wanted to make
>>                 sure that midpoint would not delete or create on this
>>                 resource, only update if found.
>>
>>                 I attached the resource, please when you have time
>>                 take a look at it.
>>
>>                 JASON
>>
>>
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/3d7c309c/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  5 09:10:51 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 05 Dec 2014 09:10:51 +0100
Subject: [midPoint] Account Creation, Not Being created in AD
In-Reply-To: <CAFkZXY60SBBag1DhoQT27FZErF3sATp1-rZo5JpnCpmo5rxEFA@mail.gmail.com>
References: <CAFkZXY4P6EBSKi388GcvYOCSipQ35JUdzDh_qCkEg-AD5M=-Fw@mail.gmail.com>
 <CAFkZXY4y4cdCxPrtQJTA37Ug7nq069XhsPBfLnuzHfodCA40fA@mail.gmail.com>
 <5458F771.8060601@evolveum.com>
 <CAFkZXY6YyCL-k3c_JKt6W_hXfegGoid9X0fKJ13grTv-q_whkQ@mail.gmail.com>
 <777803783.881170.1415179057522.JavaMail.zimbra@evolveum.com>
 <CAFkZXY41P8Soe4MLk2jEK_vvTUieJbcNYx8su8BsgyT-xW-AKQ@mail.gmail.com>
 <545BA3A3.2050008@evolveum.com>
 <CAFkZXY6vG8xjXZKM3ryGjCEPEp5ek1oo7+Czce0EotcqSwf8Rg@mail.gmail.com>
 <1668369272.887628.1415350605844.JavaMail.zimbra@evolveum.com>
 <CAFkZXY60SBBag1DhoQT27FZErF3sATp1-rZo5JpnCpmo5rxEFA@mail.gmail.com>
Message-ID: <5481688B.1030507@evolveum.com>

Jason,

I've just tried the original iterator (User in midPoint) problem and it
seems to be fixed in git-v3.0.1devel-703-g8c40b63.

I've tested with LiveSync CSV sample from you, used user template either
referenced from the unmatched action or global template. Username is
generated in midPoint:

(username - fullname)
cypecienka - Cyrus Pecienka
cypecienka2 - Cyrusov Pecienka
cypecienka3 - Cyril Pecienka
cypecienka4 - Cyrhoza Pecienka

Please retest it once after you upgrade to 3.1 or the master snapshot.
Thank you.

Regards,
Ivan

On 11/07/2014 04:23 PM, Jason Everling wrote:
> Thanks, it is working, like you said, will be easier to manage in the
> long run! Keep me posted on the bug fix,
>
> For now, I am just cleaning up objects and playing with other functions,
>
> JASON
>
> On Fri, Nov 7, 2014 at 2:56 AM, Ivan Noris <Ivan.Noris at evolveum.com
> <mailto:Ivan.Noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     yes you can use switch in one mapping instead of having many
>     mappings - I'm using it very often. It will be more simple to
>     maintain.
>
>     Just be sure to pass all required attributes as source. In your
>     case, organization does not have to be source attribute, because
>     you are not referencing it in the mapping expression
>      nor conditions.
>
>     You can further simplify the switch statement as:
>
>     switch (*costCenter*) {
>     . . .
>
>     - no basic.stringify() is needed, because the attribute type is
>     String and not Polystring. Having it there would not do any harm
>     though.
>     - you can address the attribute as "costCenter", because it's
>     implicitly stored in that "variable" as it is declared as source
>     attribute
>
>     Hope this helps you with designing your mappings.
>
>     Regards,
>     Ivan
>
>     ------------------------------------------------------------------------
>
>         *From: *"Jason Everling" <jeverling at bshp.edu
>         <mailto:jeverling at bshp.edu>>
>         *To: *"midPoint General Discussion"
>         <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
>         *Sent: *Thursday, November 6, 2014 6:00:04 PM
>
>         *Subject: *Re: [midPoint] Account Creation, Not Being created
>         in AD
>
>         Oh Ok thanks,
>
>         Can you look at this and make sure it is correct, if you look
>         at the CSV User template I had sent I had a condition for each
>         program, I did some more digging on github and found a sample
>         similar to this,
>
>         Would the below work instead of all the conditions for mapping, 
>
>         <mapping>
>         <source>
>         <path>$user/costCenter</path>
>         </source>
>         <source>
>         <path>$user/organization</path>
>         </source>
>                <expression>
>                <script>
>                                       <code>
>         tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>         switch (basic.stringify(user.getCostCenter())) {
>         case 'ASGA':
>         tmpOU = 'OU=AAD,' + tmpOU
>         break
>         case 'AAD':
>         tmpOU = 'OU=AAD,' + tmpOU
>         break
>         case 'ASHIT':
>         tmpOU = 'OU=AAS HIT,' + tmpOU
>         break
>         case 'BSHM':
>         tmpOU = 'OU=BSHM,' + tmpOU
>         break
>         case 'BSN':
>         tmpOU = 'OU=BSN,' + tmpOU
>         break
>         case 'ASIM':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'CT':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'MRI':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'RT':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'VT':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'SO':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'PN':
>         tmpOU = 'OU=DPN,' + tmpOU
>         break
>         case 'ND':
>         tmpOU = 'OU=DPN,' + tmpOU
>         break
>         case 'ASGT':
>         tmpOU = 'OU=DST,' + tmpOU
>         break
>         case 'ST':
>         tmpOU = 'OU=DST,' + tmpOU
>         break
>         case 'VN':
>         tmpOU = 'OU=DVN,' + tmpOU
>         break
>         case 'GEN':
>         tmpOU = 'OU=GENED,' + tmpOU
>         break
>         case 'LVRN':
>         tmpOU = 'OU=LVRN,' + tmpOU
>         break
>         case 'PO':
>         tmpOU = 'OU=PNP,' + tmpOU
>         break
>         default:
>         tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>         }
>         return tmpOU
>                             </code>
>                         </script>
>                </expression>
>             <target>
>             <path>organization</path>
>             </target>
>         </mapping>
>
>         On Thu, Nov 6, 2014 at 10:36 AM, Ivan Noris
>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
>             Hi Jason,
>
>             it seems you've hit a bug. I've replicated it on midPoint
>             master.
>
>             The issue is now being investigated by our developers in
>             order to fix it. I will drop a message to the list when
>             it's resolved.
>
>             Regards,
>             Ivan
>
>
>             On 11/05/2014 03:13 PM, Jason Everling wrote:
>
>                 So the role that gets assigned is nothing special, I
>                 just created a new role in the GUI and added the
>                 inducement for AD Resource. Eventually I will change
>                 the permissions on the roles to match what they need
>                 to be in production.
>
>                 I attached the AD Resource and AD User Template,
>
>                 JASON
>
>                 On Wed, Nov 5, 2014 at 3:17 AM, Ivan Noris
>                 <Ivan.Noris at evolveum.com
>                 <mailto:Ivan.Noris at evolveum.com>> wrote:
>
>                     Hi Jason,
>
>                     yes I think it's somehow depending on the fact
>                     that you are generating username.
>
>                     Can you please share details how AD accounts are
>                     constructed from the midpoint's username? What
>                     attributes are depending on user/name? DN?
>                     sAMAccountName? ... ?
>                     Also, could you send the role definition? I have
>                     some conditional roles that are assigned to user,
>                     but don't do anything if the condition is false.
>                     Which resembles your situation...
>
>                     BTW it's really strange for me so far. I'd expect
>                     at least some exception...
>
>                     Thanks,
>                     regards,
>                     Ivan
>
>                     ------------------------------------------------------------------------
>
>                         *From: *"Jason Everling" <jeverling at bshp.edu
>                         <mailto:jeverling at bshp.edu>>
>                         *To: *"midPoint General Discussion"
>                         <midpoint at lists.evolveum.com
>                         <mailto:midpoint at lists.evolveum.com>>
>                         *Sent: *Tuesday, November 4, 2014 5:19:31 PM
>                         *Subject: *Re: [midPoint] Account Creation,
>                         Not Being created in AD
>
>
>                         So yes, those are from today but instead of
>                         digging through to yesterday I just added a
>                         new line to the CSV feed, so new
>                         firstname,lastname, employeeID so that it
>                         would create a new account.
>
>                         I actually added 3 new lines to the CSV and
>                         all 3 get created in Midpoint, Role Assigned
>                         with AD inducement, and Org Assigned, the AD
>                         account never gets created though until I
>                         modify the account in Midpoint.
>
>                         That is the only log entry I get when the CSV
>                         feed is updated and new account is created in
>                         Midpoint,
>
>                         Using Midpoint 3.0
>
>                         Version 	3.0
>                         Git describe 	git-v3.0
>
>
>                         If I remove the username generation and add a
>                         username attribute to the CSV feed it works as
>                         expected, this is just when generating the
>                         username, is it maybe because the role is
>                         getting assigned before Midpoint has time to
>                         generate the username and such?
>
>                         Jason
>
>                         On Tue, Nov 4, 2014 at 9:57 AM, Ivan Noris
>                         <ivan.noris at evolveum.com
>                         <mailto:ivan.noris at evolveum.com>> wrote:
>
>                             Hi Jason,
>
>                             just to be sure: these error messages have
>                             timestamp from today; but you've reported
>                             your problem to the list yesterday.
>
>                             Could you please:
>
>                             1) double check that the log is the
>                             correct one / or find the (supposed) error
>                             messages in previously rotated log (stored
>                             in the same directory as idm.log, but the
>                             name derived from the date..)
>                             2) replicate the issue and send current
>                             idm.log fragment
>
>                             The messages referenced here are ok = we
>                             don't see anything yet.
>
>                             Also please, what version of midPoint are
>                             you using..?
>
>                             Thanks,
>                             regards,
>                             Ivan
>
>
>                             On 11/04/2014 03:25 PM, Jason Everling wrote:
>
>                                 I added a new line to the CSV so it
>                                 could create a new user, it gets
>                                 created in Midpoint and the role and
>                                 org assigned, the only item in the log
>                                 that stands out is,
>
>                                 2014-11-04 08:22:11,914 [PROVISIONING]
>                                 [midPointScheduler_Worker-2] WARN
>                                 (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter):
>                                 The resource: SonisWeb-Generate
>                                 (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa)
>                                 does not provide definition for null
>                                 value of simulated activation attribute
>
>                                 There is no other errors besides that,
>
>                                 2014-11-04 08:09:00,859 [REPOSITORY]
>                                 [midPointScheduler_Worker-6] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:09:29,824 [REPOSITORY]
>                                 [midPointScheduler_Worker-3] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:12:20,134 [REPOSITORY]
>                                 [midPointScheduler_Worker-3] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:12:20,247 [REPOSITORY]
>                                 [midPointScheduler_Worker-9] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:14:00,397 [REPOSITORY]
>                                 [midPointScheduler_Worker-9] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:00,465 [REPOSITORY]
>                                 [midPointScheduler_Worker-3] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:06,150 [REPOSITORY]
>                                 [midPointScheduler_Worker-2] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:06,271 [REPOSITORY]
>                                 [midPointScheduler_Worker-2] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:11,914 [PROVISIONING]
>                                 [midPointScheduler_Worker-2] WARN
>                                 (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter):
>                                 The resource: SonisWeb-Generate
>                                 (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa)
>                                 does not provide definition for null
>                                 value of simulated activation attribute
>
>                                 On Tue, Nov 4, 2014 at 1:17 AM, Ivan
>                                 Noris <Ivan.Noris at evolveum.com
>                                 <mailto:Ivan.Noris at evolveum.com>> wrote:
>
>                                     Jason,
>
>                                     could you please check error
>                                     messages from idm.log from the
>                                     time of the supposed creation?
>
>                                     Thanks,
>                                     Ivan
>
>                                     ------------------------------------------------------------------------
>
>                                         *From: *"Jason Everling"
>                                         <jeverling at bshp.edu
>                                         <mailto:jeverling at bshp.edu>>
>                                         *To: *"midPoint General
>                                         Discussion"
>                                         <midpoint at lists.evolveum.com
>                                         <mailto:midpoint at lists.evolveum.com>>
>                                         *Sent: *Monday, November 3,
>                                         2014 11:50:06 PM
>                                         *Subject: *[midPoint] Account
>                                         Creation, Not Being created in AD
>
>
>                                         So my director wanted to see
>                                         it fully automated so all I
>                                         basically had to do was modify
>                                         the CSV resource to generate
>                                         the usernames and email
>                                         addresses, done, this works.
>
>                                         The account gets created in
>                                         Midpoint from the CSV, gets an
>                                         Org assigned and gets a Role
>                                         assigned. The role has an
>                                         inducement for active
>                                         directory but even though the
>                                         account gets the role assigned
>                                         an account in AD does not get
>                                         created. Now if I modify the
>                                         user in midpoint, lets say
>                                         just change a letter in the
>                                         personal email address field
>                                         the AD account creation kicks off.
>
>                                         I cannot seem to figure out
>                                         why the AD account does not
>                                         get created even though it
>                                         gets the role assigned and
>                                         before I changed it to create
>                                         the usernames it was creating
>                                         those accounts in AD.
>
>                                         I attached the CSV Resource
>                                         and the CSV Template that is
>                                         being used,
>
>                                         Thanks,
>                                         JASON
>
>
>
>
>
>                                         CONFIDENTIALITY NOTICE:
>                                         This e-mail together with any
>                                         attachments is proprietary and
>                                         confidential; intended for
>                                         only the recipient(s) named
>                                         above and may contain
>                                         information that is
>                                         privileged. You should not
>                                         retain, copy or use this
>                                         e-mail or any attachments for
>                                         any purpose, or disclose all
>                                         or any part of the contents to
>                                         any person. Any views or
>                                         opinions expressed in this
>                                         e-mail are those of the author
>                                         and do not represent those of
>                                         the Baptist School of Health
>                                         Professions. If you have
>                                         received this e-mail in error,
>                                         or are not the named
>                                         recipient(s), you are hereby
>                                         notified that any review,
>                                         dissemination, distribution or
>                                         copying of this communication
>                                         is prohibited by the sender
>                                         and to do so might constitute
>                                         a violation of the Electronic
>                                         Communications Privacy Act, 18
>                                         U.S.C. section 2510-2521.
>                                         Please immediately notify the
>                                         sender and delete this e-mail
>                                         and any attachments from your
>                                         computer.
>
>                                         _______________________________________________
>                                         midPoint mailing list
>                                         midPoint at lists.evolveum.com
>                                         <mailto:midPoint at lists.evolveum.com>
>                                         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>                                     -- 
>                                       Ing. Ivan Noris
>                                       Senior Identity Management Engineer
>                                       evolveum.com <http://evolveum.com>
>                                       ___________________________________________
>                                                "Idem per idem - semper
>                                     idem Vix."
>
>                                     _______________________________________________
>                                     midPoint mailing list
>                                     midPoint at lists.evolveum.com
>                                     <mailto:midPoint at lists.evolveum.com>
>                                     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>                                 CONFIDENTIALITY NOTICE:
>                                 This e-mail together with any
>                                 attachments is proprietary and
>                                 confidential; intended for only the
>                                 recipient(s) named above and may
>                                 contain information that is
>                                 privileged. You should not retain,
>                                 copy or use this e-mail or any
>                                 attachments for any purpose, or
>                                 disclose all or any part of the
>                                 contents to any person. Any views or
>                                 opinions expressed in this e-mail are
>                                 those of the author and do not
>                                 represent those of the Baptist School
>                                 of Health Professions. If you have
>                                 received this e-mail in error, or are
>                                 not the named recipient(s), you are
>                                 hereby notified that any review,
>                                 dissemination, distribution or copying
>                                 of this communication is prohibited by
>                                 the sender and to do so might
>                                 constitute a violation of the
>                                 Electronic Communications Privacy Act,
>                                 18 U.S.C. section 2510-2521. Please
>                                 immediately notify the sender and
>                                 delete this e-mail and any attachments
>                                 from your computer.
>
>
>                                 _______________________________________________
>                                 midPoint mailing list
>                                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>                                 http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>                             -- 
>                               Ing. Ivan Noris
>                               Senior Identity Management Engineer
>                               evolveum.com <http://evolveum.com>
>                               ___________________________________________
>                                        "Idem per idem - semper idem Vix."
>
>
>                             _______________________________________________
>                             midPoint mailing list
>                             midPoint at lists.evolveum.com
>                             <mailto:midPoint at lists.evolveum.com>
>                             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>                         CONFIDENTIALITY NOTICE:
>                         This e-mail together with any attachments is
>                         proprietary and confidential; intended for
>                         only the recipient(s) named above and may
>                         contain information that is privileged. You
>                         should not retain, copy or use this e-mail or
>                         any attachments for any purpose, or disclose
>                         all or any part of the contents to any person.
>                         Any views or opinions expressed in this e-mail
>                         are those of the author and do not represent
>                         those of the Baptist School of Health
>                         Professions. If you have received this e-mail
>                         in error, or are not the named recipient(s),
>                         you are hereby notified that any review,
>                         dissemination, distribution or copying of this
>                         communication is prohibited by the sender and
>                         to do so might constitute a violation of the
>                         Electronic Communications Privacy Act, 18
>                         U.S.C. section 2510-2521. Please immediately
>                         notify the sender and delete this e-mail and
>                         any attachments from your computer.
>
>                         _______________________________________________
>                         midPoint mailing list
>                         midPoint at lists.evolveum.com
>                         <mailto:midPoint at lists.evolveum.com>
>                         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>                     -- 
>                       Ing. Ivan Noris
>                       Senior Identity Management Engineer
>                       evolveum.com <http://evolveum.com>
>                       ___________________________________________
>                                "Idem per idem - semper idem Vix."
>
>                     _______________________________________________
>                     midPoint mailing list
>                     midPoint at lists.evolveum.com
>                     <mailto:midPoint at lists.evolveum.com>
>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>                 CONFIDENTIALITY NOTICE:
>                 This e-mail together with any attachments is
>                 proprietary and confidential; intended for only the
>                 recipient(s) named above and may contain information
>                 that is privileged. You should not retain, copy or use
>                 this e-mail or any attachments for any purpose, or
>                 disclose all or any part of the contents to any
>                 person. Any views or opinions expressed in this e-mail
>                 are those of the author and do not represent those of
>                 the Baptist School of Health Professions. If you have
>                 received this e-mail in error, or are not the named
>                 recipient(s), you are hereby notified that any review,
>                 dissemination, distribution or copying of this
>                 communication is prohibited by the sender and to do so
>                 might constitute a violation of the Electronic
>                 Communications Privacy Act, 18 U.S.C. section
>                 2510-2521. Please immediately notify the sender and
>                 delete this e-mail and any attachments from your
>                 computer.
>
>
>                 _______________________________________________
>                 midPoint mailing list
>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>             -- 
>               Ing. Ivan Noris
>               Senior Identity Management Engineer
>               evolveum.com <http://evolveum.com>
>               ___________________________________________
>                        "Idem per idem - semper idem Vix."
>
>
>             _______________________________________________
>             midPoint mailing list
>             midPoint at lists.evolveum.com
>             <mailto:midPoint at lists.evolveum.com>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>         CONFIDENTIALITY NOTICE:
>         This e-mail together with any attachments is proprietary and
>         confidential; intended for only the recipient(s) named above
>         and may contain information that is privileged. You should not
>         retain, copy or use this e-mail or any attachments for any
>         purpose, or disclose all or any part of the contents to any
>         person. Any views or opinions expressed in this e-mail are
>         those of the author and do not represent those of the Baptist
>         School of Health Professions. If you have received this e-mail
>         in error, or are not the named recipient(s), you are hereby
>         notified that any review, dissemination, distribution or
>         copying of this communication is prohibited by the sender and
>         to do so might constitute a violation of the Electronic
>         Communications Privacy Act, 18 U.S.C. section 2510-2521.
>         Please immediately notify the sender and delete this e-mail
>         and any attachments from your computer.
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>
>       ___________________________________________
>                "Idem per idem - semper idem Vix."
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/449574ba/attachment.htm>

From jeverling at bshp.edu  Fri Dec  5 16:12:21 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 09:12:21 -0600
Subject: [midPoint] Help with condition in Synchonization
Message-ID: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>

I was trying to add a condition to the synchronization element,

Here is what I got, there is a column in the table level_ , I only want to
sync users that have those specific values

<condition>
<script>
<code>
basic.getAttributeValue(shadow, '
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
</code>
</script>
</condition>

When it runs I get the following

1 error
 (new) condition in object synchronization null
at
com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
~[model-common-3.0.1.jar:na]
at
com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
~[model-impl-3.0.1.jar:na]
at
com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
~[model-impl-3.0.1.jar:na]
at
com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
~[model-impl-3.0.1.jar:na]
... 54 common frames omitted
Caused by: javax.script.ScriptException:
org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
failed:
Script37.groovy: 2:
"basic.getAttributeValue(shadow,
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3, level_)" is
a method call expression, but it should be a variable expression at line: 2
column: 116. File: Script37.groovy @ line 2, column 116.
   source/instance-3', 'level_') = (2 || 3

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/402a49b5/attachment.htm>

From jeverling at bshp.edu  Fri Dec  5 16:13:01 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 09:13:01 -0600
Subject: [midPoint] Account Creation, Not Being created in AD
In-Reply-To: <5481688B.1030507@evolveum.com>
References: <CAFkZXY4P6EBSKi388GcvYOCSipQ35JUdzDh_qCkEg-AD5M=-Fw@mail.gmail.com>
 <CAFkZXY4y4cdCxPrtQJTA37Ug7nq069XhsPBfLnuzHfodCA40fA@mail.gmail.com>
 <5458F771.8060601@evolveum.com>
 <CAFkZXY6YyCL-k3c_JKt6W_hXfegGoid9X0fKJ13grTv-q_whkQ@mail.gmail.com>
 <777803783.881170.1415179057522.JavaMail.zimbra@evolveum.com>
 <CAFkZXY41P8Soe4MLk2jEK_vvTUieJbcNYx8su8BsgyT-xW-AKQ@mail.gmail.com>
 <545BA3A3.2050008@evolveum.com>
 <CAFkZXY6vG8xjXZKM3ryGjCEPEp5ek1oo7+Czce0EotcqSwf8Rg@mail.gmail.com>
 <1668369272.887628.1415350605844.JavaMail.zimbra@evolveum.com>
 <CAFkZXY60SBBag1DhoQT27FZErF3sATp1-rZo5JpnCpmo5rxEFA@mail.gmail.com>
 <5481688B.1030507@evolveum.com>
Message-ID: <CAFkZXY6vQ3LWQdhtZuFv-M7d95goxQNsR6ZDXFB-Dye=NqXVAg@mail.gmail.com>

Ok thanks for the update!

JASON

On Fri, Dec 5, 2014 at 2:10 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> I've just tried the original iterator (User in midPoint) problem and it
> seems to be fixed in git-v3.0.1devel-703-g8c40b63.
>
> I've tested with LiveSync CSV sample from you, used user template either
> referenced from the unmatched action or global template. Username is
> generated in midPoint:
>
> (username - fullname)
> cypecienka - Cyrus Pecienka
> cypecienka2 - Cyrusov Pecienka
> cypecienka3 - Cyril Pecienka
> cypecienka4 - Cyrhoza Pecienka
>
> Please retest it once after you upgrade to 3.1 or the master snapshot.
> Thank you.
>
> Regards,
> Ivan
>
>
> On 11/07/2014 04:23 PM, Jason Everling wrote:
>
> Thanks, it is working, like you said, will be easier to manage in the long
> run! Keep me posted on the bug fix,
>
>  For now, I am just cleaning up objects and playing with other functions,
>
>  JASON
>
> On Fri, Nov 7, 2014 at 2:56 AM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>>  yes you can use switch in one mapping instead of having many mappings -
>> I'm using it very often. It will be more simple to maintain.
>>
>>  Just be sure to pass all required attributes as source. In your case,
>> organization does not have to be source attribute, because you are not
>> referencing it in the mapping expression
>>  nor conditions.
>>
>>  You can further simplify the switch statement as:
>>
>>  switch (*costCenter*) {
>> . . .
>>
>>  - no basic.stringify() is needed, because the attribute type is String
>> and not Polystring. Having it there would not do any harm though.
>>  - you can address the attribute as "costCenter", because it's
>> implicitly stored in that "variable" as it is declared as source attribute
>>
>>  Hope this helps you with designing your mappings.
>>
>>  Regards,
>>  Ivan
>>
>>  ------------------------------
>>
>> *From: *"Jason Everling" <jeverling at bshp.edu>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Thursday, November 6, 2014 6:00:04 PM
>>
>> *Subject: *Re: [midPoint] Account Creation, Not Being created in AD
>>
>>  Oh Ok thanks,
>>
>>  Can you look at this and make sure it is correct, if you look at the
>> CSV User template I had sent I had a condition for each program, I did some
>> more digging on github and found a sample similar to this,
>>
>>  Would the below work instead of all the conditions for mapping,
>>
>>   <mapping>
>>  <source>
>>  <path>$user/costCenter</path>
>>  </source>
>>  <source>
>>  <path>$user/organization</path>
>>  </source>
>>         <expression>
>>         <script>
>>                               <code>
>>  tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>  switch (basic.stringify(user.getCostCenter())) {
>>  case 'ASGA':
>>  tmpOU = 'OU=AAD,' + tmpOU
>>  break
>>  case 'AAD':
>>  tmpOU = 'OU=AAD,' + tmpOU
>>  break
>>  case 'ASHIT':
>>  tmpOU = 'OU=AAS HIT,' + tmpOU
>>  break
>>  case 'BSHM':
>>  tmpOU = 'OU=BSHM,' + tmpOU
>>  break
>>  case 'BSN':
>>  tmpOU = 'OU=BSN,' + tmpOU
>>  break
>>  case 'ASIM':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'CT':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'MRI':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'RT':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'VT':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'SO':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'PN':
>>  tmpOU = 'OU=DPN,' + tmpOU
>>  break
>>  case 'ND':
>>  tmpOU = 'OU=DPN,' + tmpOU
>>  break
>>  case 'ASGT':
>>  tmpOU = 'OU=DST,' + tmpOU
>>  break
>>  case 'ST':
>>  tmpOU = 'OU=DST,' + tmpOU
>>  break
>>  case 'VN':
>>  tmpOU = 'OU=DVN,' + tmpOU
>>  break
>>  case 'GEN':
>>  tmpOU = 'OU=GENED,' + tmpOU
>>  break
>>  case 'LVRN':
>>  tmpOU = 'OU=LVRN,' + tmpOU
>>  break
>>  case 'PO':
>>  tmpOU = 'OU=PNP,' + tmpOU
>>  break
>>  default:
>>  tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>  }
>>  return tmpOU
>>                     </code>
>>                 </script>
>>         </expression>
>>     <target>
>>     <path>organization</path>
>>     </target>
>>  </mapping>
>>
>> On Thu, Nov 6, 2014 at 10:36 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> it seems you've hit a bug. I've replicated it on midPoint master.
>>>
>>> The issue is now being investigated by our developers in order to fix
>>> it. I will drop a message to the list when it's resolved.
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 11/05/2014 03:13 PM, Jason Everling wrote:
>>>
>>> So the role that gets assigned is nothing special, I just created a new
>>> role in the GUI and added the inducement for AD Resource. Eventually I will
>>> change the permissions on the roles to match what they need to be in
>>> production.
>>>
>>>  I attached the AD Resource and AD User Template,
>>>
>>>  JASON
>>>
>>> On Wed, Nov 5, 2014 at 3:17 AM, Ivan Noris <Ivan.Noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>>  yes I think it's somehow depending on the fact that you are
>>>> generating username.
>>>>
>>>>  Can you please share details how AD accounts are constructed from the
>>>> midpoint's username? What attributes are depending on user/name? DN?
>>>> sAMAccountName? ... ?
>>>>  Also, could you send the role definition? I have some conditional
>>>> roles that are assigned to user, but don't do anything if the condition is
>>>> false. Which resembles your situation...
>>>>
>>>>  BTW it's really strange for me so far. I'd expect at least some
>>>> exception...
>>>>
>>>>  Thanks,
>>>>  regards,
>>>>  Ivan
>>>>
>>>>  ------------------------------
>>>>
>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>> *Sent: *Tuesday, November 4, 2014 5:19:31 PM
>>>> *Subject: *Re: [midPoint] Account Creation, Not Being created in AD
>>>>
>>>>
>>>>  So yes, those are from today but instead of digging through to
>>>> yesterday I just added a new line to the CSV feed, so new
>>>> firstname,lastname, employeeID so that it would create a new account.
>>>>
>>>>  I actually added 3 new lines to the CSV and all 3 get created in
>>>> Midpoint, Role Assigned with AD inducement, and Org Assigned, the AD
>>>> account never gets created though until I modify the account in Midpoint.
>>>>
>>>>  That is the only log entry I get when the CSV feed is updated and new
>>>> account is created in Midpoint,
>>>>
>>>>  Using Midpoint 3.0
>>>>
>>>>     Version 3.0  Git describe git-v3.0
>>>>  If I remove the username generation and add a username attribute to
>>>> the CSV feed it works as expected, this is just when generating the
>>>> username, is it maybe because the role is getting assigned before Midpoint
>>>> has time to generate the username and such?
>>>>
>>>>  Jason
>>>>
>>>> On Tue, Nov 4, 2014 at 9:57 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> just to be sure: these error messages have timestamp from today; but
>>>>> you've reported your problem to the list yesterday.
>>>>>
>>>>> Could you please:
>>>>>
>>>>> 1) double check that the log is the correct one / or find the
>>>>> (supposed) error messages in previously rotated log (stored in the same
>>>>> directory as idm.log, but the name derived from the date..)
>>>>> 2) replicate the issue and send current idm.log fragment
>>>>>
>>>>> The messages referenced here are ok = we don't see anything yet.
>>>>>
>>>>> Also please, what version of midPoint are you using..?
>>>>>
>>>>> Thanks,
>>>>> regards,
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 11/04/2014 03:25 PM, Jason Everling wrote:
>>>>>
>>>>> I added a new line to the CSV so it could create a new user, it gets
>>>>> created in Midpoint and the role and org assigned, the only item in the log
>>>>> that stands out is,
>>>>>
>>>>>  2014-11-04 08:22:11,914 [PROVISIONING] [midPointScheduler_Worker-2]
>>>>> WARN (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter): The
>>>>> resource: SonisWeb-Generate (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa) does
>>>>> not provide definition for null value of simulated activation attribute
>>>>>
>>>>>  There is no other errors besides that,
>>>>>
>>>>>  2014-11-04 08:09:00,859 [REPOSITORY] [midPointScheduler_Worker-6]
>>>>> INFO (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>>>>> HHH000010: On release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:09:29,824 [REPOSITORY] [midPointScheduler_Worker-3] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:12:20,134 [REPOSITORY] [midPointScheduler_Worker-3] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:12:20,247 [REPOSITORY] [midPointScheduler_Worker-9] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:14:00,397 [REPOSITORY] [midPointScheduler_Worker-9] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:00,465 [REPOSITORY] [midPointScheduler_Worker-3] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:06,150 [REPOSITORY] [midPointScheduler_Worker-2] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:06,271 [REPOSITORY] [midPointScheduler_Worker-2] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:11,914 [PROVISIONING] [midPointScheduler_Worker-2]
>>>>> WARN (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter): The
>>>>> resource: SonisWeb-Generate (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa) does
>>>>> not provide definition for null value of simulated activation attribute
>>>>>
>>>>> On Tue, Nov 4, 2014 at 1:17 AM, Ivan Noris <Ivan.Noris at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>>  Jason,
>>>>>>
>>>>>>  could you please check error messages from idm.log from the time of
>>>>>> the supposed creation?
>>>>>>
>>>>>>  Thanks,
>>>>>>  Ivan
>>>>>>
>>>>>>  ------------------------------
>>>>>>
>>>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>>>> *Sent: *Monday, November 3, 2014 11:50:06 PM
>>>>>> *Subject: *[midPoint] Account Creation, Not Being created in AD
>>>>>>
>>>>>>
>>>>>>  So my director wanted to see it fully automated so all I basically
>>>>>> had to do was modify the CSV resource to generate the usernames and email
>>>>>> addresses, done, this works.
>>>>>>
>>>>>>  The account gets created in Midpoint from the CSV, gets an Org
>>>>>> assigned and gets a Role assigned. The role has an inducement for active
>>>>>> directory but even though the account gets the role assigned an account in
>>>>>> AD does not get created. Now if I modify the user in midpoint, lets say
>>>>>> just change a letter in the personal email address field the AD account
>>>>>> creation kicks off.
>>>>>>
>>>>>>  I cannot seem to figure out why the AD account does not get created
>>>>>> even though it gets the role assigned and before I changed it to create the
>>>>>> usernames it was creating those accounts in AD.
>>>>>>
>>>>>>  I attached the CSV Resource and the CSV Template that is being used,
>>>>>>
>>>>>>  Thanks,
>>>>>> JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>   CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>  _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>  --
>>>>>>    Ing. Ivan Noris
>>>>>>   Senior Identity Management Engineer
>>>>>>   evolveum.com
>>>>>>   ___________________________________________
>>>>>>            "Idem per idem - semper idem Vix."
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com
>>>>>   ___________________________________________
>>>>>            "Idem per idem - semper idem Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>  CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>  _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>  --
>>>>    Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com
>>>>   ___________________________________________
>>>>            "Idem per idem - semper idem Vix."
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com
>>>   ___________________________________________
>>>            "Idem per idem - semper idem Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>>  CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>  _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>  --
>>    Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com
>>   ___________________________________________
>>            "Idem per idem - semper idem Vix."
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/f08359ce/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  5 18:19:36 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 05 Dec 2014 18:19:36 +0100
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
Message-ID: <5481E928.4010405@evolveum.com>

Hi Jason,

I would do this:

. . .
<code>
tmp = basic.getAttributeValue(shadow,
'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
'level_');

return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
</code>
. . .

Regards,
I.

On 12/05/2014 04:12 PM, Jason Everling wrote:
> I was trying to add a condition to the synchronization element,
>
> Here is what I got, there is a column in the table level_ , I only
> want to sync users that have those specific values
>
> <condition>
> <script>
> <code>
> basic.getAttributeValue(shadow,
> 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
> </code>
> </script>
> </condition>
>
> When it runs I get the following
>
> 1 error
>  (new) condition in object synchronization null
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
> ~[model-common-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
> ~[model-impl-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
> ~[model-impl-3.0.1.jar:na]
> at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
> ~[model-impl-3.0.1.jar:na]
> ... 54 common frames omitted
> Caused by: javax.script.ScriptException:
> org.codehaus.groovy.control.MultipleCompilationErrorsException:
> startup failed:
> Script37.groovy: 2: 
> "basic.getAttributeValue(shadow,
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
> level_)" is a method call expression, but it should be a variable
> expression at line: 2 column: 116. File: Script37.groovy @ line 2,
> column 116.
>    source/instance-3', 'level_') = (2 || 3 
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/811ca259/attachment.htm>

From jeverling at bshp.edu  Fri Dec  5 18:46:13 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 11:46:13 -0600
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <5481E928.4010405@evolveum.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
Message-ID: <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>

I was trying something like that but didnt get anywhere,

I have,

<condition>
<script>
<code>
tmp = basic.getAttributeValue(shadow, '
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
'level_');
return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A || tmp ==
B || tmp == C || tmp == H)
</code>
</script>
</condition>

And get error,

ERROR (com.evolveum.midpoint.model.common.expression.Expression): Error
evaluating expression in condition in object synchronization null:
groovy.lang.MissingPropertyException: No such property: A for class:
Script42 (new) condition in object synchronization null
com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
groovy.lang.MissingPropertyException: No such property: A for class:
Script42 (new) condition in object synchronization null

On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> I would do this:
>
> . . .
> <code>
> tmp = basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_');
>
> return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
> </code>
> . . .
>
> Regards,
> I.
>
>
> On 12/05/2014 04:12 PM, Jason Everling wrote:
>
> I was trying to add a condition to the synchronization element,
>
>  Here is what I got, there is a column in the table level_ , I only want
> to sync users that have those specific values
>
>   <condition>
>  <script>
>  <code>
>  basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>  </code>
>  </script>
>  </condition>
>
>  When it runs I get the following
>
>  1 error
>  (new) condition in object synchronization null
>  at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
> ~[model-common-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
> ~[model-impl-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
> ~[model-impl-3.0.1.jar:na]
>  at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
> ~[model-impl-3.0.1.jar:na]
>  ... 54 common frames omitted
> Caused by: javax.script.ScriptException:
> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
> failed:
> Script37.groovy: 2:
> "basic.getAttributeValue(shadow,
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3, level_)"
> is a method call expression, but it should be a variable expression at
> line: 2 column: 116. File: Script37.groovy @ line 2, column 116.
>    source/instance-3', 'level_') = (2 || 3
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/1f6b206e/attachment.htm>

From jeverling at bshp.edu  Fri Dec  5 19:02:12 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 12:02:12 -0600
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
Message-ID: <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>

It was because the A, B, C, H didnt exist in the database, when I removed
those levels it doesn't error but it also does not create accounts for the
ones that have a matching level like 2 or 3

JASON

On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling <jeverling at bshp.edu> wrote:

> I was trying something like that but didnt get anywhere,
>
> I have,
>
> <condition>
> <script>
> <code>
> tmp = basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_');
> return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A || tmp ==
> B || tmp == C || tmp == H)
> </code>
> </script>
> </condition>
>
> And get error,
>
> ERROR (com.evolveum.midpoint.model.common.expression.Expression): Error
> evaluating expression in condition in object synchronization null:
> groovy.lang.MissingPropertyException: No such property: A for class:
> Script42 (new) condition in object synchronization null
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
> groovy.lang.MissingPropertyException: No such property: A for class:
> Script42 (new) condition in object synchronization null
>
> On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> I would do this:
>>
>> . . .
>> <code>
>> tmp = basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>> 'level_');
>>
>> return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>> </code>
>> . . .
>>
>> Regards,
>> I.
>>
>>
>> On 12/05/2014 04:12 PM, Jason Everling wrote:
>>
>> I was trying to add a condition to the synchronization element,
>>
>>  Here is what I got, there is a column in the table level_ , I only want
>> to sync users that have those specific values
>>
>>   <condition>
>>  <script>
>>  <code>
>>  basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>  </code>
>>  </script>
>>  </condition>
>>
>>  When it runs I get the following
>>
>>  1 error
>>  (new) condition in object synchronization null
>>  at
>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
>> ~[model-common-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
>> ~[model-impl-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
>> ~[model-impl-3.0.1.jar:na]
>>  at
>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
>> ~[model-impl-3.0.1.jar:na]
>>  ... 54 common frames omitted
>> Caused by: javax.script.ScriptException:
>> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
>> failed:
>> Script37.groovy: 2:
>> "basic.getAttributeValue(shadow,
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3, level_)"
>> is a method call expression, but it should be a variable expression at
>> line: 2 column: 116. File: Script37.groovy @ line 2, column 116.
>>    source/instance-3', 'level_') = (2 || 3
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/5e9e5e14/attachment.htm>

From jeverling at bshp.edu  Fri Dec  5 20:52:52 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 13:52:52 -0600
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
Message-ID: <CAFkZXY4aCTMSiZva-3GAznfJcx6F5inFtnCQNUxbZMEM4kFf0Q@mail.gmail.com>

I double-checked everything, the objectTemplate to create the accounts is
proper, same as my csv template.

When I am looking at the Shadow details for the resource, the 4 users in my
table have a state "nothing" even though 2 of the users have the level_ as
2 or 3

State Count State Count State Count  Deleted 0 Linked 0 Unmatched 0
Disputed 0 Unlinked 0 Nothing 4    *Total* *4*

On Fri, Dec 5, 2014 at 12:02 PM, Jason Everling <jeverling at bshp.edu> wrote:

> It was because the A, B, C, H didnt exist in the database, when I removed
> those levels it doesn't error but it also does not create accounts for the
> ones that have a matching level like 2 or 3
>
> JASON
>
> On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> I was trying something like that but didnt get anywhere,
>>
>> I have,
>>
>> <condition>
>> <script>
>> <code>
>> tmp = basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>> 'level_');
>> return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A || tmp
>> == B || tmp == C || tmp == H)
>> </code>
>> </script>
>> </condition>
>>
>> And get error,
>>
>> ERROR (com.evolveum.midpoint.model.common.expression.Expression): Error
>> evaluating expression in condition in object synchronization null:
>> groovy.lang.MissingPropertyException: No such property: A for class:
>> Script42 (new) condition in object synchronization null
>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>> groovy.lang.MissingPropertyException: No such property: A for class:
>> Script42 (new) condition in object synchronization null
>>
>> On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> I would do this:
>>>
>>> . . .
>>> <code>
>>> tmp = basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_');
>>>
>>> return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>> </code>
>>> . . .
>>>
>>> Regards,
>>> I.
>>>
>>>
>>> On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>
>>> I was trying to add a condition to the synchronization element,
>>>
>>>  Here is what I got, there is a column in the table level_ , I only
>>> want to sync users that have those specific values
>>>
>>>   <condition>
>>>  <script>
>>>  <code>
>>>  basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>  </code>
>>>  </script>
>>>  </condition>
>>>
>>>  When it runs I get the following
>>>
>>>  1 error
>>>  (new) condition in object synchronization null
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
>>> ~[model-impl-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
>>> ~[model-impl-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
>>> ~[model-impl-3.0.1.jar:na]
>>>  ... 54 common frames omitted
>>> Caused by: javax.script.ScriptException:
>>> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
>>> failed:
>>> Script37.groovy: 2:
>>> "basic.getAttributeValue(shadow,
>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>> level_)" is a method call expression, but it should be a variable
>>> expression at line: 2 column: 116. File: Script37.groovy @ line 2, column
>>> 116.
>>>    source/instance-3', 'level_') = (2 || 3
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/b0cdb8eb/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  5 22:20:47 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 05 Dec 2014 22:20:47 +0100
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
Message-ID: <548221AF.6010009@evolveum.com>

So if it's string, try to use single quotes.

... tmp == '2' || ...


On 12/05/2014 07:02 PM, Jason Everling wrote:
> It was because the A, B, C, H didnt exist in the database, when I
> removed those levels it doesn't error but it also does not create
> accounts for the ones that have a matching level like 2 or 3
>
> JASON
>
> On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling <jeverling at bshp.edu
> <mailto:jeverling at bshp.edu>> wrote:
>
>     I was trying something like that but didnt get anywhere,
>
>     I have,
>
>     <condition>
>     <script>
>     <code>
>     tmp = basic.getAttributeValue(shadow,
>     'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>     'level_');
>     return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A
>     || tmp == B || tmp == C || tmp == H)
>     </code>
>     </script>
>     </condition>
>
>     And get error,
>
>     ERROR (com.evolveum.midpoint.model.common.expression.Expression):
>     Error evaluating expression in condition in object synchronization
>     null: groovy.lang.MissingPropertyException: No such property: A
>     for class: Script42 (new) condition in object synchronization null
>     com.evolveum.midpoint.util.exception.ExpressionEvaluationException: groovy.lang.MissingPropertyException:
>     No such property: A for class: Script42 (new) condition in object
>     synchronization null
>
>     On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris
>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
>         Hi Jason,
>
>         I would do this:
>
>         . . .
>         <code>
>         tmp = basic.getAttributeValue(shadow,
>         'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>         'level_');
>
>         return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>         </code>
>         . . .
>
>         Regards,
>         I.
>
>
>         On 12/05/2014 04:12 PM, Jason Everling wrote:
>>         I was trying to add a condition to the synchronization element,
>>
>>         Here is what I got, there is a column in the table level_ , I
>>         only want to sync users that have those specific values
>>
>>         <condition>
>>         <script>
>>         <code>
>>         basic.getAttributeValue(shadow,
>>         'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>         'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>         </code>
>>         </script>
>>         </condition>
>>
>>         When it runs I get the following
>>
>>         1 error
>>          (new) condition in object synchronization null
>>         at
>>         com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
>>         ~[model-common-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
>>         ~[model-impl-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
>>         ~[model-impl-3.0.1.jar:na]
>>         at
>>         com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
>>         ~[model-impl-3.0.1.jar:na]
>>         ... 54 common frames omitted
>>         Caused by: javax.script.ScriptException:
>>         org.codehaus.groovy.control.MultipleCompilationErrorsException:
>>         startup failed:
>>         Script37.groovy: 2: 
>>         "basic.getAttributeValue(shadow,
>>         http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>         level_)" is a method call expression, but it should be a
>>         variable expression at line: 2 column: 116. File:
>>         Script37.groovy @ line 2, column 116.
>>            source/instance-3', 'level_') = (2 || 3 
>>
>>
>>
>>         CONFIDENTIALITY NOTICE:
>>         This e-mail together with any attachments is proprietary and
>>         confidential; intended for only the recipient(s) named above
>>         and may contain information that is privileged. You should
>>         not retain, copy or use this e-mail or any attachments for
>>         any purpose, or disclose all or any part of the contents to
>>         any person. Any views or opinions expressed in this e-mail
>>         are those of the author and do not represent those of the
>>         Baptist School of Health Professions. If you have received
>>         this e-mail in error, or are not the named recipient(s), you
>>         are hereby notified that any review, dissemination,
>>         distribution or copying of this communication is prohibited
>>         by the sender and to do so might constitute a violation of
>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>         2510-2521. Please immediately notify the sender and delete
>>         this e-mail and any attachments from your computer.
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>         -- 
>           Ing. Ivan Noris
>           Senior Identity Management Engineer
>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>           _____________________________________________
>           "Semper Id(e)M Vix."
>
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/852f40da/attachment.htm>

From jeverling at bshp.edu  Fri Dec  5 22:46:30 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 15:46:30 -0600
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <548221AF.6010009@evolveum.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
 <548221AF.6010009@evolveum.com>
Message-ID: <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>

It is still the same, I even tried other ways pulling ideas from github,

I tried adding the single quotes, midpoint sees the shadow user under
shadow details but does not create the accounts. If I remove the condition
then the accounts get created. Somehow it is not liking the condition,

<code>
tmp = basic.getAttributeValue(shadow, '
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
'level_');
return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' || tmp == 'A'
|| tmp == 'B' || tmp == 'C' || tmp == 'H')
</code>

Is the shadow part and namespace correct? this is a DBTable Resource and
the column name is level_ and it is a single value. Does this attribute
need to have a mapping? I am currently not mapping the value in midpoint,
 really wouldn't know what to map it to.

basic.getAttributeValue(shadow, '
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
'level_')

Here is the full sync object

  <synchronization> <objectSynchronization> <enabled>true</enabled>
<condition> <script> <code> tmp = basic.getAttributeValue(shadow, '
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
'level_'); return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' ||
tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H') </code> </script>
</condition> <correlation> <q:equal> <q:path>c:employeeNumber</q:path>
<expression> <path> declare namespace icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
$account/attributes/icfs:name </path> </expression> </q:equal>
</correlation> <reaction> <situation>linked</situation> <action ref="
http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser"/>
</reaction> <reaction> <situation>deleted</situation> <action ref="
http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus"/>
</reaction> <reaction> <situation>unlinked</situation> <action ref="
http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
</reaction> <reaction> <situation>unmatched</situation> <objectTemplateRef
oid="10000000-0000-0000-0000-000000000203"/> <action ref="
http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
</reaction> </objectSynchronization> </synchronization>





On Fri, Dec 5, 2014 at 3:20 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  So if it's string, try to use single quotes.
>
> ... tmp == '2' || ...
>
>
> On 12/05/2014 07:02 PM, Jason Everling wrote:
>
> It was because the A, B, C, H didnt exist in the database, when I removed
> those levels it doesn't error but it also does not create accounts for the
> ones that have a matching level like 2 or 3
>
>  JASON
>
> On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> I was trying something like that but didnt get anywhere,
>>
>>  I have,
>>
>>   <condition>
>>  <script>
>>  <code>
>>  tmp = basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>> 'level_');
>>  return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A || tmp
>> == B || tmp == C || tmp == H)
>>  </code>
>>  </script>
>>  </condition>
>>
>>  And get error,
>>
>>  ERROR (com.evolveum.midpoint.model.common.expression.Expression): Error
>> evaluating expression in condition in object synchronization null:
>> groovy.lang.MissingPropertyException: No such property: A for class:
>> Script42 (new) condition in object synchronization null
>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>> groovy.lang.MissingPropertyException: No such property: A for class:
>> Script42 (new) condition in object synchronization null
>>
>> On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> I would do this:
>>>
>>> . . .
>>> <code>
>>> tmp = basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_');
>>>
>>> return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>> </code>
>>> . . .
>>>
>>> Regards,
>>> I.
>>>
>>>
>>> On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>
>>>  I was trying to add a condition to the synchronization element,
>>>
>>>  Here is what I got, there is a column in the table level_ , I only
>>> want to sync users that have those specific values
>>>
>>>   <condition>
>>>  <script>
>>>  <code>
>>>  basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>  </code>
>>>  </script>
>>>  </condition>
>>>
>>>  When it runs I get the following
>>>
>>>  1 error
>>>  (new) condition in object synchronization null
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
>>> ~[model-common-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
>>> ~[model-impl-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
>>> ~[model-impl-3.0.1.jar:na]
>>>  at
>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
>>> ~[model-impl-3.0.1.jar:na]
>>>  ... 54 common frames omitted
>>> Caused by: javax.script.ScriptException:
>>> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
>>> failed:
>>> Script37.groovy: 2:
>>> "basic.getAttributeValue(shadow,
>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>> level_)" is a method call expression, but it should be a variable
>>> expression at line: 2 column: 116. File: Script37.groovy @ line 2, column
>>> 116.
>>>    source/instance-3', 'level_') = (2 || 3
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/b5e86441/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  5 23:34:17 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 05 Dec 2014 23:34:17 +0100
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
 <548221AF.6010009@evolveum.com>
 <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>
Message-ID: <548232E9.5080905@evolveum.com>

Yeah, the namespace...

It needs to be the namespace of the resource attributes. That's the same
as in schema handling (by default named "ri").

basic.getAttributeValue(shadow,
'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'level_')

But according to the production object I'm just looking at, it should
even work:

*basic.getAttributeValue(shadow, 'level_')*

This defaults to "ri" namespace.

For example in one of our deployments, in one of our sync
configurations, we have condition with:

<code>
sam = basic.getAttributeValue(shadow, 'samAccountName')
. . .
(and then we process "sam" variable...)
</code>

Sorry, I didn't check the namespace in the original mail.

Regards,
Ivan

On 12/05/2014 10:46 PM, Jason Everling wrote:
> It is still the same, I even tried other ways pulling ideas from github,
>
> I tried adding the single quotes, midpoint sees the shadow user under
> shadow details but does not create the accounts. If I remove the
> condition then the accounts get created. Somehow it is not liking the
> condition,
>
> <code>
> tmp = basic.getAttributeValue(shadow,
> 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_');
> return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' || tmp ==
> 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H')
> </code>
>
> Is the shadow part and namespace correct? this is a DBTable Resource
> and the column name is level_ and it is a single value. Does this
> attribute need to have a mapping? I am currently not mapping the value
> in midpoint,  really wouldn't know what to map it to.
>
> basic.getAttributeValue(shadow,
> 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_') 
>
> Here is the full sync object
>
>   <synchronization> <objectSynchronization> <enabled>true</enabled>
> <condition> <script> <code> tmp = basic.getAttributeValue(shadow,
> 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_'); return (tmp == '2' || tmp == '3' || tmp == '4' || tmp ==
> '5' || tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H') </code>
> </script> </condition> <correlation> <q:equal>
> <q:path>c:employeeNumber</q:path> <expression> <path> declare
> namespace
> icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
> $account/attributes/icfs:name </path> </expression> </q:equal>
> </correlation> <reaction> <situation>linked</situation> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser"/>
> </reaction> <reaction> <situation>deleted</situation> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus"/>
> </reaction> <reaction> <situation>unlinked</situation> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
> </reaction> <reaction> <situation>unmatched</situation>
> <objectTemplateRef oid="10000000-0000-0000-0000-000000000203"/>
> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
> </reaction> </objectSynchronization> </synchronization>
>
>
>
>
>
> On Fri, Dec 5, 2014 at 3:20 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     So if it's string, try to use single quotes.
>
>     ... tmp == '2' || ...
>
>
>     On 12/05/2014 07:02 PM, Jason Everling wrote:
>>     It was because the A, B, C, H didnt exist in the database, when I
>>     removed those levels it doesn't error but it also does not create
>>     accounts for the ones that have a matching level like 2 or 3
>>
>>     JASON
>>
>>     On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling
>>     <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>
>>         I was trying something like that but didnt get anywhere,
>>
>>         I have,
>>
>>         <condition>
>>         <script>
>>         <code>
>>         tmp = basic.getAttributeValue(shadow,
>>         'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>         'level_');
>>         return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp
>>         == A || tmp == B || tmp == C || tmp == H)
>>         </code>
>>         </script>
>>         </condition>
>>
>>         And get error,
>>
>>         ERROR
>>         (com.evolveum.midpoint.model.common.expression.Expression):
>>         Error evaluating expression in condition in object
>>         synchronization null: groovy.lang.MissingPropertyException:
>>         No such property: A for class: Script42 (new) condition in
>>         object synchronization null
>>         com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>>         groovy.lang.MissingPropertyException: No such property: A for
>>         class: Script42 (new) condition in object synchronization null
>>
>>         On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris
>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>             Hi Jason,
>>
>>             I would do this:
>>
>>             . . .
>>             <code>
>>             tmp = basic.getAttributeValue(shadow,
>>             'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>             'level_');
>>
>>             return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>             </code>
>>             . . .
>>
>>             Regards,
>>             I.
>>
>>
>>             On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>             I was trying to add a condition to the synchronization
>>>             element,
>>>
>>>             Here is what I got, there is a column in the table
>>>             level_ , I only want to sync users that have those
>>>             specific values
>>>
>>>             <condition>
>>>             <script>
>>>             <code>
>>>             basic.getAttributeValue(shadow,
>>>             'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>             'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>             </code>
>>>             </script>
>>>             </condition>
>>>
>>>             When it runs I get the following
>>>
>>>             1 error
>>>              (new) condition in object synchronization null
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
>>>             ~[model-common-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
>>>             ~[model-impl-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
>>>             ~[model-impl-3.0.1.jar:na]
>>>             at
>>>             com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
>>>             ~[model-impl-3.0.1.jar:na]
>>>             ... 54 common frames omitted
>>>             Caused by: javax.script.ScriptException:
>>>             org.codehaus.groovy.control.MultipleCompilationErrorsException:
>>>             startup failed:
>>>             Script37.groovy: 2: 
>>>             "basic.getAttributeValue(shadow,
>>>             http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>>             level_)" is a method call expression, but it should be a
>>>             variable expression at line: 2 column: 116. File:
>>>             Script37.groovy @ line 2, column 116.
>>>                source/instance-3', 'level_') = (2 || 3 
>>>
>>>
>>>
>>>             CONFIDENTIALITY NOTICE:
>>>             This e-mail together with any attachments is proprietary
>>>             and confidential; intended for only the recipient(s)
>>>             named above and may contain information that is
>>>             privileged. You should not retain, copy or use this
>>>             e-mail or any attachments for any purpose, or disclose
>>>             all or any part of the contents to any person. Any views
>>>             or opinions expressed in this e-mail are those of the
>>>             author and do not represent those of the Baptist School
>>>             of Health Professions. If you have received this e-mail
>>>             in error, or are not the named recipient(s), you are
>>>             hereby notified that any review, dissemination,
>>>             distribution or copying of this communication is
>>>             prohibited by the sender and to do so might constitute a
>>>             violation of the Electronic Communications Privacy Act,
>>>             18 U.S.C. section 2510-2521. Please immediately notify
>>>             the sender and delete this e-mail and any attachments
>>>             from your computer.
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>             -- 
>>               Ing. Ivan Noris
>>               Senior Identity Management Engineer
>>               evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>               _____________________________________________
>>               "Semper Id(e)M Vix."
>>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/0f4bb112/attachment.htm>

From jeverling at bshp.edu  Fri Dec  5 23:40:11 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 16:40:11 -0600
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <548232E9.5080905@evolveum.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
 <548221AF.6010009@evolveum.com>
 <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>
 <548232E9.5080905@evolveum.com>
Message-ID: <CAFkZXY5OOqfukSfdKcDGc3JNQV0WCiiSjYHGJoD-ywZPat6eag@mail.gmail.com>

Yes, I changed to instance-3 and it is working, I have another error though
now, seems that when it get created in Midpoint and the roles are assigned
it gets stuck and errors on the AD Provisioning with

Caused by: com.evolveum.midpoint.util.exception.SystemException:
com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
groovy.lang.MissingPropertyException: No such property: familyName for
class: Script75 expression in mapping in outbound mapping for
{.../connector/icf-1/resource-schema-3}name in
resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office 365,
Google Apps, Moodle)(organization=PPV(PolyString:OU=SHP
Students,DC=TEST,DC=LOCAL); familyNam=null; givenName=PPV(PolyString:John);
) in expression in mapping in outbound mapping for
{.../connector/icf-1/resource-schema-3}name in
resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office 365,
Google Apps, Moodle)

Why familyName error? If I look at the created user in Midpoint the user
account has a correct lastname and all the other attributes look fine.

JASON

On Fri, Dec 5, 2014 at 4:34 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Yeah, the namespace...
>
> It needs to be the namespace of the resource attributes. That's the same
> as in schema handling (by default named "ri").
>
> basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'level_')
>
> But according to the production object I'm just looking at, it should even
> work:
>
> *basic.getAttributeValue(shadow, 'level_')*
>
> This defaults to "ri" namespace.
>
> For example in one of our deployments, in one of our sync configurations,
> we have condition with:
>
> <code>
> sam = basic.getAttributeValue(shadow, 'samAccountName')
> . . .
> (and then we process "sam" variable...)
> </code>
>
> Sorry, I didn't check the namespace in the original mail.
>
> Regards,
> Ivan
>
>
> On 12/05/2014 10:46 PM, Jason Everling wrote:
>
> It is still the same, I even tried other ways pulling ideas from github,
>
>  I tried adding the single quotes, midpoint sees the shadow user under
> shadow details but does not create the accounts. If I remove the condition
> then the accounts get created. Somehow it is not liking the condition,
>
>   <code>
>  tmp = basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_');
>  return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' || tmp ==
> 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H')
>  </code>
>
>  Is the shadow part and namespace correct? this is a DBTable Resource and
> the column name is level_ and it is a single value. Does this attribute
> need to have a mapping? I am currently not mapping the value in midpoint,
>  really wouldn't know what to map it to.
>
>  basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_')
>
>  Here is the full sync object
>
>    <synchronization> <objectSynchronization> <enabled>true</enabled>
> <condition> <script> <code> tmp = basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
> 'level_'); return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' ||
> tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H') </code> </script>
> </condition> <correlation> <q:equal> <q:path>c:employeeNumber</q:path>
> <expression> <path> declare namespace icfs="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
> $account/attributes/icfs:name </path> </expression> </q:equal>
> </correlation> <reaction> <situation>linked</situation> <action ref="
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser"/>
> </reaction> <reaction> <situation>deleted</situation> <action ref="
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus"/>
> </reaction> <reaction> <situation>unlinked</situation> <action ref="
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
> </reaction> <reaction> <situation>unmatched</situation> <objectTemplateRef
> oid="10000000-0000-0000-0000-000000000203"/> <action ref="
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
> </reaction> </objectSynchronization> </synchronization>
>
>
>
>
>
> On Fri, Dec 5, 2014 at 3:20 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  So if it's string, try to use single quotes.
>>
>> ... tmp == '2' || ...
>>
>>
>> On 12/05/2014 07:02 PM, Jason Everling wrote:
>>
>> It was because the A, B, C, H didnt exist in the database, when I removed
>> those levels it doesn't error but it also does not create accounts for the
>> ones that have a matching level like 2 or 3
>>
>>  JASON
>>
>> On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> I was trying something like that but didnt get anywhere,
>>>
>>>  I have,
>>>
>>>   <condition>
>>>  <script>
>>>  <code>
>>>  tmp = basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_');
>>>  return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A ||
>>> tmp == B || tmp == C || tmp == H)
>>>  </code>
>>>  </script>
>>>  </condition>
>>>
>>>  And get error,
>>>
>>>  ERROR (com.evolveum.midpoint.model.common.expression.Expression):
>>> Error evaluating expression in condition in object synchronization null:
>>> groovy.lang.MissingPropertyException: No such property: A for class:
>>> Script42 (new) condition in object synchronization null
>>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>>> groovy.lang.MissingPropertyException: No such property: A for class:
>>> Script42 (new) condition in object synchronization null
>>>
>>> On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> I would do this:
>>>>
>>>> . . .
>>>> <code>
>>>> tmp = basic.getAttributeValue(shadow, '
>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>> 'level_');
>>>>
>>>> return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>>> </code>
>>>> . . .
>>>>
>>>> Regards,
>>>> I.
>>>>
>>>>
>>>> On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>>
>>>>  I was trying to add a condition to the synchronization element,
>>>>
>>>>  Here is what I got, there is a column in the table level_ , I only
>>>> want to sync users that have those specific values
>>>>
>>>>   <condition>
>>>>  <script>
>>>>  <code>
>>>>  basic.getAttributeValue(shadow, '
>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>>  </code>
>>>>  </script>
>>>>  </condition>
>>>>
>>>>  When it runs I get the following
>>>>
>>>>  1 error
>>>>  (new) condition in object synchronization null
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)
>>>> ~[model-common-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)
>>>> ~[model-impl-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)
>>>> ~[model-impl-3.0.1.jar:na]
>>>>  at
>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)
>>>> ~[model-impl-3.0.1.jar:na]
>>>>  ... 54 common frames omitted
>>>> Caused by: javax.script.ScriptException:
>>>> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
>>>> failed:
>>>> Script37.groovy: 2:
>>>> "basic.getAttributeValue(shadow,
>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>>> level_)" is a method call expression, but it should be a variable
>>>> expression at line: 2 column: 116. File: Script37.groovy @ line 2, column
>>>> 116.
>>>>    source/instance-3', 'level_') = (2 || 3
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/c9e14b51/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  5 23:59:28 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 05 Dec 2014 23:59:28 +0100
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <CAFkZXY5OOqfukSfdKcDGc3JNQV0WCiiSjYHGJoD-ywZPat6eag@mail.gmail.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
 <548221AF.6010009@evolveum.com>
 <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>
 <548232E9.5080905@evolveum.com>
 <CAFkZXY5OOqfukSfdKcDGc3JNQV0WCiiSjYHGJoD-ywZPat6eag@mail.gmail.com>
Message-ID: <548238D0.1050501@evolveum.com>

Jason,

how does the mapping for icfs:name in Active Directory resource look like?

I.


On 12/05/2014 11:40 PM, Jason Everling wrote:
> Yes, I changed to instance-3 and it is working, I have another error
> though now, seems that when it get created in Midpoint and the roles
> are assigned it gets stuck and errors on the AD Provisioning with
>
> Caused by: com.evolveum.midpoint.util.exception.SystemException:
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
> groovy.lang.MissingPropertyException: No such property: familyName for
> class: Script75 expression in mapping in outbound mapping for
> {.../connector/icf-1/resource-schema-3}name in
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
> 365, Google Apps, Moodle)(organization=PPV(PolyString:OU=SHP
> Students,DC=TEST,DC=LOCAL); familyNam=null;
> givenName=PPV(PolyString:John); ) in expression in mapping in outbound
> mapping for {.../connector/icf-1/resource-schema-3}name in
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
> 365, Google Apps, Moodle)
>
> Why familyName error? If I look at the created user in Midpoint the
> user account has a correct lastname and all the other attributes look
> fine.
>
> JASON
>
> On Fri, Dec 5, 2014 at 4:34 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Yeah, the namespace...
>
>     It needs to be the namespace of the resource attributes. That's
>     the same as in schema handling (by default named "ri").
>
>     basic.getAttributeValue(shadow,
>     'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3',
>     'level_')
>
>     But according to the production object I'm just looking at, it
>     should even work:
>
>     *basic.getAttributeValue(shadow, 'level_')*
>
>     This defaults to "ri" namespace.
>
>     For example in one of our deployments, in one of our sync
>     configurations, we have condition with:
>
>     <code>
>     sam = basic.getAttributeValue(shadow, 'samAccountName')
>     . . .
>     (and then we process "sam" variable...)
>     </code>
>
>     Sorry, I didn't check the namespace in the original mail.
>
>     Regards,
>     Ivan
>
>
>     On 12/05/2014 10:46 PM, Jason Everling wrote:
>>     It is still the same, I even tried other ways pulling ideas from
>>     github,
>>
>>     I tried adding the single quotes, midpoint sees the shadow user
>>     under shadow details but does not create the accounts. If I
>>     remove the condition then the accounts get created. Somehow it is
>>     not liking the condition,
>>
>>     <code>
>>     tmp = basic.getAttributeValue(shadow,
>>     'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>     'level_');
>>     return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' ||
>>     tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H')
>>     </code>
>>
>>     Is the shadow part and namespace correct? this is a DBTable
>>     Resource and the column name is level_ and it is a single value.
>>     Does this attribute need to have a mapping? I am currently not
>>     mapping the value in midpoint,  really wouldn't know what to map
>>     it to.
>>
>>     basic.getAttributeValue(shadow,
>>     'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>     'level_') 
>>
>>     Here is the full sync object
>>
>>       <synchronization> <objectSynchronization>
>>     <enabled>true</enabled> <condition> <script> <code> tmp =
>>     basic.getAttributeValue(shadow,
>>     'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>     'level_'); return (tmp == '2' || tmp == '3' || tmp == '4' || tmp
>>     == '5' || tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H')
>>     </code> </script> </condition> <correlation> <q:equal>
>>     <q:path>c:employeeNumber</q:path> <expression> <path> declare
>>     namespace
>>     icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
>>     $account/attributes/icfs:name </path> </expression> </q:equal>
>>     </correlation> <reaction> <situation>linked</situation> <action
>>     ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser"/>
>>     </reaction> <reaction> <situation>deleted</situation> <action
>>     ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus"/>
>>     </reaction> <reaction> <situation>unlinked</situation> <action
>>     ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
>>     </reaction> <reaction> <situation>unmatched</situation>
>>     <objectTemplateRef oid="10000000-0000-0000-0000-000000000203"/>
>>     <action
>>     ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
>>     </reaction> </objectSynchronization> </synchronization>
>>
>>
>>
>>
>>
>>     On Fri, Dec 5, 2014 at 3:20 PM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         So if it's string, try to use single quotes.
>>
>>         ... tmp == '2' || ...
>>
>>
>>         On 12/05/2014 07:02 PM, Jason Everling wrote:
>>>         It was because the A, B, C, H didnt exist in the database,
>>>         when I removed those levels it doesn't error but it also
>>>         does not create accounts for the ones that have a matching
>>>         level like 2 or 3
>>>
>>>         JASON
>>>
>>>         On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling
>>>         <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>>
>>>             I was trying something like that but didnt get anywhere,
>>>
>>>             I have,
>>>
>>>             <condition>
>>>             <script>
>>>             <code>
>>>             tmp = basic.getAttributeValue(shadow,
>>>             'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>             'level_');
>>>             return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 ||
>>>             tmp == A || tmp == B || tmp == C || tmp == H)
>>>             </code>
>>>             </script>
>>>             </condition>
>>>
>>>             And get error,
>>>
>>>             ERROR
>>>             (com.evolveum.midpoint.model.common.expression.Expression):
>>>             Error evaluating expression in condition in object
>>>             synchronization null:
>>>             groovy.lang.MissingPropertyException: No such property:
>>>             A for class: Script42 (new) condition in object
>>>             synchronization null
>>>             com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>>>             groovy.lang.MissingPropertyException: No such property:
>>>             A for class: Script42 (new) condition in object
>>>             synchronization null
>>>
>>>             On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris
>>>             <ivan.noris at evolveum.com
>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>                 Hi Jason,
>>>
>>>                 I would do this:
>>>
>>>                 . . .
>>>                 <code>
>>>                 tmp = basic.getAttributeValue(shadow,
>>>                 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>                 'level_');
>>>
>>>                 return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>>                 </code>
>>>                 . . .
>>>
>>>                 Regards,
>>>                 I.
>>>
>>>
>>>                 On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>>                 I was trying to add a condition to the
>>>>                 synchronization element,
>>>>
>>>>                 Here is what I got, there is a column in the table
>>>>                 level_ , I only want to sync users that have those
>>>>                 specific values
>>>>
>>>>                 <condition>
>>>>                 <script>
>>>>                 <code>
>>>>                 basic.getAttributeValue(shadow,
>>>>                 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>                 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>>                 </code>
>>>>                 </script>
>>>>                 </condition>
>>>>
>>>>                 When it runs I get the following
>>>>
>>>>                 1 error
>>>>                  (new) condition in object synchronization null
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)~[model-common-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)~[model-impl-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)~[model-impl-3.0.1.jar:na]
>>>>                 at
>>>>                 com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)~[model-impl-3.0.1.jar:na]
>>>>                 ... 54 common frames omitted
>>>>                 Caused by: javax.script.ScriptException:
>>>>                 org.codehaus.groovy.control.MultipleCompilationErrorsException:
>>>>                 startup failed:
>>>>                 Script37.groovy: 2: 
>>>>                 "basic.getAttributeValue(shadow,
>>>>                 http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>>>                 level_)" is a method call expression, but it should
>>>>                 be a variable expression at line: 2 column: 116.
>>>>                 File: Script37.groovy @ line 2, column 116.
>>>>                    source/instance-3', 'level_') = (2 || 3 
>>>>
>>>>
>>>>
>>>>                 CONFIDENTIALITY NOTICE:
>>>>                 This e-mail together with any attachments is
>>>>                 proprietary and confidential; intended for only the
>>>>                 recipient(s) named above and may contain
>>>>                 information that is privileged. You should not
>>>>                 retain, copy or use this e-mail or any attachments
>>>>                 for any purpose, or disclose all or any part of the
>>>>                 contents to any person. Any views or opinions
>>>>                 expressed in this e-mail are those of the author
>>>>                 and do not represent those of the Baptist School of
>>>>                 Health Professions. If you have received this
>>>>                 e-mail in error, or are not the named recipient(s),
>>>>                 you are hereby notified that any review,
>>>>                 dissemination, distribution or copying of this
>>>>                 communication is prohibited by the sender and to do
>>>>                 so might constitute a violation of the Electronic
>>>>                 Communications Privacy Act, 18 U.S.C. section
>>>>                 2510-2521. Please immediately notify the sender and
>>>>                 delete this e-mail and any attachments from your
>>>>                 computer.
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>                 -- 
>>>                   Ing. Ivan Noris
>>>                   Senior Identity Management Engineer
>>>                   evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>                   _____________________________________________
>>>                   "Semper Id(e)M Vix."
>>>
>>>
>>>                 _______________________________________________
>>>                 midPoint mailing list
>>>                 midPoint at lists.evolveum.com
>>>                 <mailto:midPoint at lists.evolveum.com>
>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/4a2cf7c2/attachment.htm>

From jeverling at bshp.edu  Sat Dec  6 00:13:34 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 17:13:34 -0600
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <548238D0.1050501@evolveum.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
 <548221AF.6010009@evolveum.com>
 <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>
 <548232E9.5080905@evolveum.com>
 <CAFkZXY5OOqfukSfdKcDGc3JNQV0WCiiSjYHGJoD-ywZPat6eag@mail.gmail.com>
 <548238D0.1050501@evolveum.com>
Message-ID: <CAFkZXY5QcOY8vVSKm+SChZOt102od3uDNqKdBLzCr=1CN7htig@mail.gmail.com>

omg... I feel so dumb, I swear I looked at that a million times! I had a
typo for familyNam , I was missing the 'e' ...I swear I checked that!!

It is all working now, Users from DBTable are created and synced,

JASON

On Fri, Dec 5, 2014 at 4:59 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> how does the mapping for icfs:name in Active Directory resource look like?
>
> I.
>
>
>
> On 12/05/2014 11:40 PM, Jason Everling wrote:
>
> Yes, I changed to instance-3 and it is working, I have another error
> though now, seems that when it get created in Midpoint and the roles are
> assigned it gets stuck and errors on the AD Provisioning with
>
>  Caused by: com.evolveum.midpoint.util.exception.SystemException:
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
> groovy.lang.MissingPropertyException: No such property: familyName for
> class: Script75 expression in mapping in outbound mapping for
> {.../connector/icf-1/resource-schema-3}name in
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
> 365, Google Apps, Moodle)(organization=PPV(PolyString:OU=SHP
> Students,DC=TEST,DC=LOCAL); familyNam=null; givenName=PPV(PolyString:John);
> ) in expression in mapping in outbound mapping for
> {.../connector/icf-1/resource-schema-3}name in
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
> 365, Google Apps, Moodle)
>
>  Why familyName error? If I look at the created user in Midpoint the user
> account has a correct lastname and all the other attributes look fine.
>
>  JASON
>
> On Fri, Dec 5, 2014 at 4:34 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Yeah, the namespace...
>>
>> It needs to be the namespace of the resource attributes. That's the same
>> as in schema handling (by default named "ri").
>>
>> basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3',
>> 'level_')
>>
>> But according to the production object I'm just looking at, it should
>> even work:
>>
>> *basic.getAttributeValue(shadow, 'level_')*
>>
>> This defaults to "ri" namespace.
>>
>> For example in one of our deployments, in one of our sync configurations,
>> we have condition with:
>>
>> <code>
>> sam = basic.getAttributeValue(shadow, 'samAccountName')
>> . . .
>> (and then we process "sam" variable...)
>> </code>
>>
>> Sorry, I didn't check the namespace in the original mail.
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/05/2014 10:46 PM, Jason Everling wrote:
>>
>> It is still the same, I even tried other ways pulling ideas from github,
>>
>>  I tried adding the single quotes, midpoint sees the shadow user under
>> shadow details but does not create the accounts. If I remove the condition
>> then the accounts get created. Somehow it is not liking the condition,
>>
>>   <code>
>>  tmp = basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>> 'level_');
>>  return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' || tmp ==
>> 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H')
>>  </code>
>>
>>  Is the shadow part and namespace correct? this is a DBTable Resource
>> and the column name is level_ and it is a single value. Does this attribute
>> need to have a mapping? I am currently not mapping the value in midpoint,
>>  really wouldn't know what to map it to.
>>
>>  basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>> 'level_')
>>
>>  Here is the full sync object
>>
>>    <synchronization> <objectSynchronization> <enabled>true</enabled>
>> <condition> <script> <code> tmp = basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>> 'level_'); return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' ||
>> tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H') </code> </script>
>> </condition> <correlation> <q:equal> <q:path>c:employeeNumber</q:path>
>> <expression> <path> declare namespace icfs="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
>> $account/attributes/icfs:name </path> </expression> </q:equal>
>> </correlation> <reaction> <situation>linked</situation> <action ref="
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser"/>
>> </reaction> <reaction> <situation>deleted</situation> <action ref="
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus"/>
>> </reaction> <reaction> <situation>unlinked</situation> <action ref="
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
>> </reaction> <reaction> <situation>unmatched</situation> <objectTemplateRef
>> oid="10000000-0000-0000-0000-000000000203"/> <action ref="
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
>> </reaction> </objectSynchronization> </synchronization>
>>
>>
>>
>>
>>
>> On Fri, Dec 5, 2014 at 3:20 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  So if it's string, try to use single quotes.
>>>
>>> ... tmp == '2' || ...
>>>
>>>
>>> On 12/05/2014 07:02 PM, Jason Everling wrote:
>>>
>>> It was because the A, B, C, H didnt exist in the database, when I
>>> removed those levels it doesn't error but it also does not create accounts
>>> for the ones that have a matching level like 2 or 3
>>>
>>>  JASON
>>>
>>> On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> I was trying something like that but didnt get anywhere,
>>>>
>>>>  I have,
>>>>
>>>>   <condition>
>>>>  <script>
>>>>  <code>
>>>>  tmp = basic.getAttributeValue(shadow, '
>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>> 'level_');
>>>>  return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A ||
>>>> tmp == B || tmp == C || tmp == H)
>>>>  </code>
>>>>  </script>
>>>>  </condition>
>>>>
>>>>  And get error,
>>>>
>>>>  ERROR (com.evolveum.midpoint.model.common.expression.Expression):
>>>> Error evaluating expression in condition in object synchronization null:
>>>> groovy.lang.MissingPropertyException: No such property: A for class:
>>>> Script42 (new) condition in object synchronization null
>>>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>>>> groovy.lang.MissingPropertyException: No such property: A for class:
>>>> Script42 (new) condition in object synchronization null
>>>>
>>>> On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> I would do this:
>>>>>
>>>>> . . .
>>>>> <code>
>>>>> tmp = basic.getAttributeValue(shadow, '
>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>> 'level_');
>>>>>
>>>>> return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>>>> </code>
>>>>> . . .
>>>>>
>>>>> Regards,
>>>>> I.
>>>>>
>>>>>
>>>>> On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>>>
>>>>>  I was trying to add a condition to the synchronization element,
>>>>>
>>>>>  Here is what I got, there is a column in the table level_ , I only
>>>>> want to sync users that have those specific values
>>>>>
>>>>>   <condition>
>>>>>  <script>
>>>>>  <code>
>>>>>  basic.getAttributeValue(shadow, '
>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>>>  </code>
>>>>>  </script>
>>>>>  </condition>
>>>>>
>>>>>  When it runs I get the following
>>>>>
>>>>>  1 error
>>>>>  (new) condition in object synchronization null
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)~[model-common-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)~[model-impl-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)~[model-impl-3.0.1.jar:na]
>>>>>  at
>>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)~[model-impl-3.0.1.jar:na]
>>>>>  ... 54 common frames omitted
>>>>> Caused by: javax.script.ScriptException:
>>>>> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
>>>>> failed:
>>>>> Script37.groovy: 2:
>>>>> "basic.getAttributeValue(shadow,
>>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>>>> level_)" is a method call expression, but it should be a variable
>>>>> expression at line: 2 column: 116. File: Script37.groovy @ line 2, column
>>>>> 116.
>>>>>    source/instance-3', 'level_') = (2 || 3
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com     evolveum.com/blog/
>>>>>   _____________________________________________
>>>>>   "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/04627985/attachment.htm>

From ivan.noris at evolveum.com  Sat Dec  6 00:27:00 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Sat, 06 Dec 2014 00:27:00 +0100
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <CAFkZXY5QcOY8vVSKm+SChZOt102od3uDNqKdBLzCr=1CN7htig@mail.gmail.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
 <548221AF.6010009@evolveum.com>
 <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>
 <548232E9.5080905@evolveum.com>
 <CAFkZXY5OOqfukSfdKcDGc3JNQV0WCiiSjYHGJoD-ywZPat6eag@mail.gmail.com>
 <548238D0.1050501@evolveum.com>
 <CAFkZXY5QcOY8vVSKm+SChZOt102od3uDNqKdBLzCr=1CN7htig@mail.gmail.com>
Message-ID: <54823F44.8020109@evolveum.com>

Jason,

no reason to feel dumb. I've noticed the possible typo here, that's why
I have asked for confirmation:

Caused by: com.evolveum.midpoint.util.exception.SystemException:
com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
groovy.lang.MissingPropertyException: No such property: familyName for
class: Script75 expression in mapping in outbound mapping for
{.../connector/icf-1/resource-schema-3}name in
resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
365, Google Apps, Moodle)(organization=PPV(PolyString:OU=SHP
Students,DC=TEST,DC=LOCAL);***familyNam**=null*;
givenName=PPV(PolyString:John); ) in expression in mapping in outbound
mapping for {.../connector/icf-1/resource-schema-3}name in
resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
365, Google Apps, Moodle)

The log entry above can be explained as:

No such property: familyName ... in mapping ... - you are referencing
the "familyName" variable but it has no definition (e.g. source) in the
mapping.

The mapping could have a <name>Mapping for DN attribute</name>, but it's
obviously mapping for icfs:name, because of
"{.../connector/icf-1/resource-schema-3}name".

The resource is "Active Directory: Office 365, Google Apps, Moodle".

The sources for this mapping are: organization, familyNam (that's the
typo), givenName. Also values are printed.

As the familyName had no value, the mapping expression was referencing
non-existent variable in Groovy interpreter.

So this time it was easy to find the typo :) Some other problems take
more time to get a clue.

So it's working, which is fine ;-)

Regards and have a nice weekend.

Ivan

On 12/06/2014 12:13 AM, Jason Everling wrote:
> omg... I feel so dumb, I swear I looked at that a million times! I had
> a typo for familyNam , I was missing the 'e' ...I swear I checked that!!
>
> It is all working now, Users from DBTable are created and synced,
>
> JASON
>
> On Fri, Dec 5, 2014 at 4:59 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason,
>
>     how does the mapping for icfs:name in Active Directory resource
>     look like?
>
>     I.
>
>
>
>     On 12/05/2014 11:40 PM, Jason Everling wrote:
>>     Yes, I changed to instance-3 and it is working, I have another
>>     error though now, seems that when it get created in Midpoint and
>>     the roles are assigned it gets stuck and errors on the AD
>>     Provisioning with
>>
>>     Caused by: com.evolveum.midpoint.util.exception.SystemException:
>>     com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>>     groovy.lang.MissingPropertyException: No such property:
>>     familyName for class: Script75 expression in mapping in outbound
>>     mapping for {.../connector/icf-1/resource-schema-3}name in
>>     resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory:
>>     Office 365, Google Apps,
>>     Moodle)(organization=PPV(PolyString:OU=SHP
>>     Students,DC=TEST,DC=LOCAL); familyNam=null;
>>     givenName=PPV(PolyString:John); ) in expression in mapping in
>>     outbound mapping for {.../connector/icf-1/resource-schema-3}name
>>     in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active
>>     Directory: Office 365, Google Apps, Moodle)
>>
>>     Why familyName error? If I look at the created user in Midpoint
>>     the user account has a correct lastname and all the other
>>     attributes look fine.
>>
>>     JASON
>>
>>     On Fri, Dec 5, 2014 at 4:34 PM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Yeah, the namespace...
>>
>>         It needs to be the namespace of the resource attributes.
>>         That's the same as in schema handling (by default named "ri").
>>
>>         basic.getAttributeValue(shadow,
>>         'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3',
>>         'level_')
>>
>>         But according to the production object I'm just looking at,
>>         it should even work:
>>
>>         *basic.getAttributeValue(shadow, 'level_')*
>>
>>         This defaults to "ri" namespace.
>>
>>         For example in one of our deployments, in one of our sync
>>         configurations, we have condition with:
>>
>>         <code>
>>         sam = basic.getAttributeValue(shadow, 'samAccountName')
>>         . . .
>>         (and then we process "sam" variable...)
>>         </code>
>>
>>         Sorry, I didn't check the namespace in the original mail.
>>
>>         Regards,
>>         Ivan
>>
>>
>>         On 12/05/2014 10:46 PM, Jason Everling wrote:
>>>         It is still the same, I even tried other ways pulling ideas
>>>         from github,
>>>
>>>         I tried adding the single quotes, midpoint sees the shadow
>>>         user under shadow details but does not create the accounts.
>>>         If I remove the condition then the accounts get created.
>>>         Somehow it is not liking the condition,
>>>
>>>         <code>
>>>         tmp = basic.getAttributeValue(shadow,
>>>         'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>         'level_');
>>>         return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5'
>>>         || tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H')
>>>         </code>
>>>
>>>         Is the shadow part and namespace correct? this is a DBTable
>>>         Resource and the column name is level_ and it is a single
>>>         value. Does this attribute need to have a mapping? I am
>>>         currently not mapping the value in midpoint,  really
>>>         wouldn't know what to map it to.
>>>
>>>         basic.getAttributeValue(shadow,
>>>         'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>         'level_') 
>>>
>>>         Here is the full sync object
>>>
>>>           <synchronization> <objectSynchronization>
>>>         <enabled>true</enabled> <condition> <script> <code> tmp =
>>>         basic.getAttributeValue(shadow,
>>>         'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>         'level_'); return (tmp == '2' || tmp == '3' || tmp == '4' ||
>>>         tmp == '5' || tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp
>>>         == 'H') </code> </script> </condition> <correlation>
>>>         <q:equal> <q:path>c:employeeNumber</q:path> <expression>
>>>         <path> declare namespace
>>>         icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
>>>         $account/attributes/icfs:name </path> </expression>
>>>         </q:equal> </correlation> <reaction>
>>>         <situation>linked</situation> <action
>>>         ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser"/>
>>>         </reaction> <reaction> <situation>deleted</situation>
>>>         <action
>>>         ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus"/>
>>>         </reaction> <reaction> <situation>unlinked</situation>
>>>         <action
>>>         ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
>>>         </reaction> <reaction> <situation>unmatched</situation>
>>>         <objectTemplateRef
>>>         oid="10000000-0000-0000-0000-000000000203"/> <action
>>>         ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
>>>         </reaction> </objectSynchronization> </synchronization>
>>>
>>>
>>>
>>>
>>>
>>>         On Fri, Dec 5, 2014 at 3:20 PM, Ivan Noris
>>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>>         wrote:
>>>
>>>             So if it's string, try to use single quotes.
>>>
>>>             ... tmp == '2' || ...
>>>
>>>
>>>             On 12/05/2014 07:02 PM, Jason Everling wrote:
>>>>             It was because the A, B, C, H didnt exist in the
>>>>             database, when I removed those levels it doesn't error
>>>>             but it also does not create accounts for the ones that
>>>>             have a matching level like 2 or 3
>>>>
>>>>             JASON
>>>>
>>>>             On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling
>>>>             <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>>>
>>>>                 I was trying something like that but didnt get
>>>>                 anywhere,
>>>>
>>>>                 I have,
>>>>
>>>>                 <condition>
>>>>                 <script>
>>>>                 <code>
>>>>                 tmp = basic.getAttributeValue(shadow,
>>>>                 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>                 'level_');
>>>>                 return (tmp == 2 || tmp == 3 || tmp == 4 || tmp ==
>>>>                 5 || tmp == A || tmp == B || tmp == C || tmp == H)
>>>>                 </code>
>>>>                 </script>
>>>>                 </condition>
>>>>
>>>>                 And get error,
>>>>
>>>>                 ERROR
>>>>                 (com.evolveum.midpoint.model.common.expression.Expression):
>>>>                 Error evaluating expression in condition in object
>>>>                 synchronization null:
>>>>                 groovy.lang.MissingPropertyException: No such
>>>>                 property: A for class: Script42 (new) condition in
>>>>                 object synchronization null
>>>>                 com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>>>>                 groovy.lang.MissingPropertyException: No such
>>>>                 property: A for class: Script42 (new) condition in
>>>>                 object synchronization null
>>>>
>>>>                 On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris
>>>>                 <ivan.noris at evolveum.com
>>>>                 <mailto:ivan.noris at evolveum.com>> wrote:
>>>>
>>>>                     Hi Jason,
>>>>
>>>>                     I would do this:
>>>>
>>>>                     . . .
>>>>                     <code>
>>>>                     tmp = basic.getAttributeValue(shadow,
>>>>                     'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>                     'level_');
>>>>
>>>>                     return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>>>                     </code>
>>>>                     . . .
>>>>
>>>>                     Regards,
>>>>                     I.
>>>>
>>>>
>>>>                     On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>>>                     I was trying to add a condition to the
>>>>>                     synchronization element,
>>>>>
>>>>>                     Here is what I got, there is a column in the
>>>>>                     table level_ , I only want to sync users that
>>>>>                     have those specific values
>>>>>
>>>>>                     <condition>
>>>>>                     <script>
>>>>>                     <code>
>>>>>                     basic.getAttributeValue(shadow,
>>>>>                     'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>>                     'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>>>                     </code>
>>>>>                     </script>
>>>>>                     </condition>
>>>>>
>>>>>                     When it runs I get the following
>>>>>
>>>>>                     1 error
>>>>>                      (new) condition in object synchronization null
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)~[model-common-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)~[model-impl-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)~[model-impl-3.0.1.jar:na]
>>>>>                     at
>>>>>                     com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)~[model-impl-3.0.1.jar:na]
>>>>>                     ... 54 common frames omitted
>>>>>                     Caused by: javax.script.ScriptException:
>>>>>                     org.codehaus.groovy.control.MultipleCompilationErrorsException:
>>>>>                     startup failed:
>>>>>                     Script37.groovy: 2: 
>>>>>                     "basic.getAttributeValue(shadow,
>>>>>                     http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>>>>                     level_)" is a method call expression, but it
>>>>>                     should be a variable expression at line: 2
>>>>>                     column: 116. File: Script37.groovy @ line 2,
>>>>>                     column 116.
>>>>>                        source/instance-3', 'level_') = (2 || 3 
>>>>>
>>>>>
>>>>>
>>>>>                     CONFIDENTIALITY NOTICE:
>>>>>                     This e-mail together with any attachments is
>>>>>                     proprietary and confidential; intended for
>>>>>                     only the recipient(s) named above and may
>>>>>                     contain information that is privileged. You
>>>>>                     should not retain, copy or use this e-mail or
>>>>>                     any attachments for any purpose, or disclose
>>>>>                     all or any part of the contents to any person.
>>>>>                     Any views or opinions expressed in this e-mail
>>>>>                     are those of the author and do not represent
>>>>>                     those of the Baptist School of Health
>>>>>                     Professions. If you have received this e-mail
>>>>>                     in error, or are not the named recipient(s),
>>>>>                     you are hereby notified that any review,
>>>>>                     dissemination, distribution or copying of this
>>>>>                     communication is prohibited by the sender and
>>>>>                     to do so might constitute a violation of the
>>>>>                     Electronic Communications Privacy Act, 18
>>>>>                     U.S.C. section 2510-2521. Please immediately
>>>>>                     notify the sender and delete this e-mail and
>>>>>                     any attachments from your computer.
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     midPoint mailing list
>>>>>                     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>                     -- 
>>>>                       Ing. Ivan Noris
>>>>                       Senior Identity Management Engineer
>>>>                       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>                       _____________________________________________
>>>>                       "Semper Id(e)M Vix."
>>>>
>>>>
>>>>                     _______________________________________________
>>>>                     midPoint mailing list
>>>>                     midPoint at lists.evolveum.com
>>>>                     <mailto:midPoint at lists.evolveum.com>
>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             CONFIDENTIALITY NOTICE:
>>>>             This e-mail together with any attachments is
>>>>             proprietary and confidential; intended for only the
>>>>             recipient(s) named above and may contain information
>>>>             that is privileged. You should not retain, copy or use
>>>>             this e-mail or any attachments for any purpose, or
>>>>             disclose all or any part of the contents to any person.
>>>>             Any views or opinions expressed in this e-mail are
>>>>             those of the author and do not represent those of the
>>>>             Baptist School of Health Professions. If you have
>>>>             received this e-mail in error, or are not the named
>>>>             recipient(s), you are hereby notified that any review,
>>>>             dissemination, distribution or copying of this
>>>>             communication is prohibited by the sender and to do so
>>>>             might constitute a violation of the Electronic
>>>>             Communications Privacy Act, 18 U.S.C. section
>>>>             2510-2521. Please immediately notify the sender and
>>>>             delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>>             _______________________________________________
>>>>             midPoint mailing list
>>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>             -- 
>>>               Ing. Ivan Noris
>>>               Senior Identity Management Engineer
>>>               evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>               _____________________________________________
>>>               "Semper Id(e)M Vix."
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141206/a22fdb77/attachment.htm>

From jeverling at bshp.edu  Sat Dec  6 00:29:02 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 5 Dec 2014 17:29:02 -0600
Subject: [midPoint] Help with condition in Synchonization
In-Reply-To: <54823F44.8020109@evolveum.com>
References: <CAFkZXY774UzLNn-1XNcXeYBVtCBUdCjdqTSzUF23o1B-M=VhZg@mail.gmail.com>
 <5481E928.4010405@evolveum.com>
 <CAFkZXY4rW3pwncqRszP0zntyo0SysnAc2wJ1RNC+rG+qBW_9zg@mail.gmail.com>
 <CAFkZXY7kdNvKhFrs8qsZReYpV-3sQJpFiTCQY3RsGa=pBPRF5w@mail.gmail.com>
 <548221AF.6010009@evolveum.com>
 <CAFkZXY6tMc6rHMohCRCvVNVjVs5mGXDj9mroEa7KFyx-8Rn14w@mail.gmail.com>
 <548232E9.5080905@evolveum.com>
 <CAFkZXY5OOqfukSfdKcDGc3JNQV0WCiiSjYHGJoD-ywZPat6eag@mail.gmail.com>
 <548238D0.1050501@evolveum.com>
 <CAFkZXY5QcOY8vVSKm+SChZOt102od3uDNqKdBLzCr=1CN7htig@mail.gmail.com>
 <54823F44.8020109@evolveum.com>
Message-ID: <CAFkZXY6vHCwyjLxtrYJ3omuA30OWMHHuQcRuu4c2fXG7XJ7NKw@mail.gmail.com>

Thanks so much for your help and breaking it down, it is time to go home!

JASON

On Fri, Dec 5, 2014 at 5:27 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> no reason to feel dumb. I've noticed the possible typo here, that's why I
> have asked for confirmation:
>
> Caused by: com.evolveum.midpoint.util.exception.SystemException:
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
> groovy.lang.MissingPropertyException: No such property: familyName for
> class: Script75 expression in mapping in outbound mapping for
> {.../connector/icf-1/resource-schema-3}name in
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
> 365, Google Apps, Moodle)(organization=PPV(PolyString:OU=SHP
> Students,DC=TEST,DC=LOCAL); *familyNam**=null*;
> givenName=PPV(PolyString:John); ) in expression in mapping in outbound
> mapping for {.../connector/icf-1/resource-schema-3}name in
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
> 365, Google Apps, Moodle)
>
> The log entry above can be explained as:
>
> No such property: familyName ... in mapping ... - you are referencing the
> "familyName" variable but it has no definition (e.g. source) in the mapping.
>
> The mapping could have a <name>Mapping for DN attribute</name>, but it's
> obviously mapping for icfs:name, because of
> "{.../connector/icf-1/resource-schema-3}name".
>
> The resource is "Active Directory: Office 365, Google Apps, Moodle".
>
> The sources for this mapping are: organization, familyNam (that's the
> typo), givenName. Also values are printed.
>
> As the familyName had no value, the mapping expression was referencing
> non-existent variable in Groovy interpreter.
>
> So this time it was easy to find the typo :) Some other problems take more
> time to get a clue.
>
> So it's working, which is fine ;-)
>
> Regards and have a nice weekend.
>
> Ivan
>
>
> On 12/06/2014 12:13 AM, Jason Everling wrote:
>
> omg... I feel so dumb, I swear I looked at that a million times! I had a
> typo for familyNam , I was missing the 'e' ...I swear I checked that!!
>
>  It is all working now, Users from DBTable are created and synced,
>
>  JASON
>
> On Fri, Dec 5, 2014 at 4:59 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason,
>>
>> how does the mapping for icfs:name in Active Directory resource look like?
>>
>> I.
>>
>>
>>
>> On 12/05/2014 11:40 PM, Jason Everling wrote:
>>
>>  Yes, I changed to instance-3 and it is working, I have another error
>> though now, seems that when it get created in Midpoint and the roles are
>> assigned it gets stuck and errors on the AD Provisioning with
>>
>>  Caused by: com.evolveum.midpoint.util.exception.SystemException:
>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>> groovy.lang.MissingPropertyException: No such property: familyName for
>> class: Script75 expression in mapping in outbound mapping for
>> {.../connector/icf-1/resource-schema-3}name in
>> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
>> 365, Google Apps, Moodle)(organization=PPV(PolyString:OU=SHP
>> Students,DC=TEST,DC=LOCAL); familyNam=null; givenName=PPV(PolyString:John);
>> ) in expression in mapping in outbound mapping for
>> {.../connector/icf-1/resource-schema-3}name in
>> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
>> 365, Google Apps, Moodle)
>>
>>  Why familyName error? If I look at the created user in Midpoint the
>> user account has a correct lastname and all the other attributes look fine.
>>
>>  JASON
>>
>>  On Fri, Dec 5, 2014 at 4:34 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>   Yeah, the namespace...
>>>
>>> It needs to be the namespace of the resource attributes. That's the same
>>> as in schema handling (by default named "ri").
>>>
>>> basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3',
>>> 'level_')
>>>
>>> But according to the production object I'm just looking at, it should
>>> even work:
>>>
>>> *basic.getAttributeValue(shadow, 'level_')*
>>>
>>> This defaults to "ri" namespace.
>>>
>>> For example in one of our deployments, in one of our sync
>>> configurations, we have condition with:
>>>
>>> <code>
>>> sam = basic.getAttributeValue(shadow, 'samAccountName')
>>> . . .
>>> (and then we process "sam" variable...)
>>> </code>
>>>
>>> Sorry, I didn't check the namespace in the original mail.
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 12/05/2014 10:46 PM, Jason Everling wrote:
>>>
>>>  It is still the same, I even tried other ways pulling ideas from
>>> github,
>>>
>>>  I tried adding the single quotes, midpoint sees the shadow user under
>>> shadow details but does not create the accounts. If I remove the condition
>>> then the accounts get created. Somehow it is not liking the condition,
>>>
>>>   <code>
>>>  tmp = basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_');
>>>  return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' || tmp ==
>>> 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H')
>>>  </code>
>>>
>>>  Is the shadow part and namespace correct? this is a DBTable Resource
>>> and the column name is level_ and it is a single value. Does this attribute
>>> need to have a mapping? I am currently not mapping the value in midpoint,
>>>  really wouldn't know what to map it to.
>>>
>>>  basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_')
>>>
>>>  Here is the full sync object
>>>
>>>    <synchronization> <objectSynchronization> <enabled>true</enabled>
>>> <condition> <script> <code> tmp = basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>> 'level_'); return (tmp == '2' || tmp == '3' || tmp == '4' || tmp == '5' ||
>>> tmp == 'A' || tmp == 'B' || tmp == 'C' || tmp == 'H') </code> </script>
>>> </condition> <correlation> <q:equal> <q:path>c:employeeNumber</q:path>
>>> <expression> <path> declare namespace icfs="
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
>>> $account/attributes/icfs:name </path> </expression> </q:equal>
>>> </correlation> <reaction> <situation>linked</situation> <action ref="
>>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser"/>
>>> </reaction> <reaction> <situation>deleted</situation> <action ref="
>>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus"/>
>>> </reaction> <reaction> <situation>unlinked</situation> <action ref="
>>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
>>> </reaction> <reaction> <situation>unmatched</situation> <objectTemplateRef
>>> oid="10000000-0000-0000-0000-000000000203"/> <action ref="
>>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
>>> </reaction> </objectSynchronization> </synchronization>
>>>
>>>
>>>
>>>
>>>
>>>  On Fri, Dec 5, 2014 at 3:20 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>   So if it's string, try to use single quotes.
>>>>
>>>> ... tmp == '2' || ...
>>>>
>>>>
>>>> On 12/05/2014 07:02 PM, Jason Everling wrote:
>>>>
>>>>  It was because the A, B, C, H didnt exist in the database, when I
>>>> removed those levels it doesn't error but it also does not create accounts
>>>> for the ones that have a matching level like 2 or 3
>>>>
>>>>  JASON
>>>>
>>>>  On Fri, Dec 5, 2014 at 11:46 AM, Jason Everling <jeverling at bshp.edu>
>>>> wrote:
>>>>
>>>>>  I was trying something like that but didnt get anywhere,
>>>>>
>>>>>  I have,
>>>>>
>>>>>   <condition>
>>>>>  <script>
>>>>>  <code>
>>>>>  tmp = basic.getAttributeValue(shadow, '
>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>> 'level_');
>>>>>  return (tmp == 2 || tmp == 3 || tmp == 4 || tmp == 5 || tmp == A ||
>>>>> tmp == B || tmp == C || tmp == H)
>>>>>  </code>
>>>>>  </script>
>>>>>  </condition>
>>>>>
>>>>>  And get error,
>>>>>
>>>>>  ERROR (com.evolveum.midpoint.model.common.expression.Expression):
>>>>> Error evaluating expression in condition in object synchronization null:
>>>>> groovy.lang.MissingPropertyException: No such property: A for class:
>>>>> Script42 (new) condition in object synchronization null
>>>>> com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
>>>>> groovy.lang.MissingPropertyException: No such property: A for class:
>>>>> Script42 (new) condition in object synchronization null
>>>>>
>>>>>  On Fri, Dec 5, 2014 at 11:19 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>>   Hi Jason,
>>>>>>
>>>>>> I would do this:
>>>>>>
>>>>>> . . .
>>>>>> <code>
>>>>>> tmp = basic.getAttributeValue(shadow, '
>>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>>> 'level_');
>>>>>>
>>>>>> return (tmp == 2 || tmp == 3 || tmp == 4 | ...)
>>>>>> </code>
>>>>>> . . .
>>>>>>
>>>>>> Regards,
>>>>>> I.
>>>>>>
>>>>>>
>>>>>> On 12/05/2014 04:12 PM, Jason Everling wrote:
>>>>>>
>>>>>>   I was trying to add a condition to the synchronization element,
>>>>>>
>>>>>>  Here is what I got, there is a column in the table level_ , I only
>>>>>> want to sync users that have those specific values
>>>>>>
>>>>>>   <condition>
>>>>>>  <script>
>>>>>>  <code>
>>>>>>  basic.getAttributeValue(shadow, '
>>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3',
>>>>>> 'level_') = (2 || 3 || 4 || 5 || A || B || C || H)
>>>>>>  </code>
>>>>>>  </script>
>>>>>>  </condition>
>>>>>>
>>>>>>  When it runs I get the following
>>>>>>
>>>>>>    1 error
>>>>>>  (new) condition in object synchronization null
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.createCompiledScript(Jsr223ScriptEvaluator.java:176)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:117)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpression.evaluate(ScriptExpression.java:110)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.script.ScriptExpressionEvaluator.transformSingleValue(ScriptExpressionEvaluator.java:58)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateScriptExpression(AbstractValueTransformationExpressionEvaluator.java:276)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluateAbsoluteExpression(AbstractValueTransformationExpressionEvaluator.java:206)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.evaluator.AbstractValueTransformationExpressionEvaluator.evaluate(AbstractValueTransformationExpressionEvaluator.java:107)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.Expression.evaluate(Expression.java:136)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateExpression(ExpressionUtil.java:500)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.common.expression.ExpressionUtil.evaluateCondition(ExpressionUtil.java:523)~[model-common-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.isPolicyApplicable(SynchronizationService.java:383)~[model-impl-3.0.1.jar:na]
>>>>>>  at
>>>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.determineSynchronizationPolicy(SynchronizationService.java:343)~[model-impl-3.0.1.jar:na]
>>>>>>   at
>>>>>> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:205)~[model-impl-3.0.1.jar:na]
>>>>>>   ... 54 common frames omitted
>>>>>> Caused by: javax.script.ScriptException:
>>>>>> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
>>>>>> failed:
>>>>>> Script37.groovy: 2:
>>>>>> "basic.getAttributeValue(shadow,
>>>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3,
>>>>>> level_)" is a method call expression, but it should be a variable
>>>>>> expression at line: 2 column: 116. File: Script37.groovy @ line 2, column
>>>>>> 116.
>>>>>>    source/instance-3', 'level_') = (2 || 3
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>> --
>>>>>>   Ing. Ivan Noris
>>>>>>   Senior Identity Management Engineer
>>>>>>   evolveum.com     evolveum.com/blog/
>>>>>>   _____________________________________________
>>>>>>   "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/85c670d6/attachment.htm>

From dharm.parakh at gmail.com  Mon Dec  8 11:17:55 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Mon, 8 Dec 2014 15:47:55 +0530
Subject: [midPoint] Custom Connector Issue
Message-ID: <CAKvVWqwj2E=O+anfihMqzZYTGXDoOHZ6OOziW6uFN3_-21Ph1g@mail.gmail.com>

Hi

I am developing a custom connector which will provision a custom object
class on openldap.

I have written the code for connector using conn-id framework and deployed
it on midpoint. I am able to see it listed in connectors list in my
midpoint server.

I have written a resource xml for this connector and when i try to import
it i am getting an error :

2014-12-08 14:40:21,742 [PROVISIONING] [http-bio-8080-exec-3] ERROR
(com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Complex
run-time properties are not supported: type {
http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
com.evolveum.midpoint.util.exception.SchemaException: Complex run-time
properties are not supported: type {http://www.w3.org/2001/XMLSchema}string
from XNode(map:1 entries)
at
com.evolveum.midpoint.prism.parser.XNodeProcessor.parsePrismPropertyRealValueFromMap(XNodeProcessor.java:473)
~[prism-3.0.jar:na]
at
com.evolveum.midpoint.prism.parser.XNodeProcessor.parsePrismPropertyRealValue(XNodeProcessor.java:395)
~[prism-3.0.jar:na]
at
com.evolveum.midpoint.prism.PrismPropertyValue.parseRawElementToNewRealValue(PrismPropertyValue.java:357)
~[prism-3.0.jar:na]
at
com.evolveum.midpoint.prism.PrismPropertyValue.applyDefinition(PrismPropertyValue.java:162)
~[prism-3.0.jar:na]
....
....

Caused by: com.evolveum.midpoint.repo.sql.util.DtoTranslationException:
Complex run-time properties are not supported: type {
http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
at
com.evolveum.midpoint.repo.sql.data.audit.RAuditEventRecord.toRepo(RAuditEventRecord.java:398)
~[repo-sql-impl-3.0.jar:na]
at
com.evolveum.midpoint.repo.sql.SqlAuditServiceImpl.auditAttempt(SqlAuditServiceImpl.java:76)
~[repo-sql-impl-3.0.jar:na]
... 104 common frames omitted
Caused by: com.evolveum.midpoint.repo.sql.util.DtoTranslationException:
Complex run-time properties are not supported: type {
http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
at
com.evolveum.midpoint.repo.sql.data.audit.RObjectDeltaOperation.toRepo(RObjectDeltaOperation.java:218)
~[repo-sql-impl-3.0.jar:na]
at
com.evolveum.midpoint.repo.sql.data.audit.RAuditEventRecord.toRepo(RAuditEventRecord.java:393)
~[repo-sql-impl-3.0.jar:na]
... 105 common frames omitted
Caused by: java.lang.IllegalStateException: Complex run-time properties are
not supported: type {http://www.w3.org/2001/XMLSchema}string from
XNode(map:1 entries)
at
com.evolveum.midpoint.prism.PrismPropertyValue.getValue(PrismPropertyValue.java:131)
~[prism-3.0.jar:na]
at
com.evolveum.midpoint.prism.parser.XNodeSerializer.serializePropertyValue(XNodeSerializer.java:330)
~[prism-3.0.jar:na]
at
com.evolveum.midpoint.prism.parser.XNodeSerializer.serializeItemValue(XNodeSerializer.java:208)
~[prism-3.0.jar:na]
at
com.evolveum.midpoint.prism.parser.XNodeSerializer.serializeItem(XNodeSerializer.java:115)
~[prism-3.0.jar:na]
..............
................


If the connector is displayed in available connectors list i assume that it
is bundled correctly and i used my ldap resource xml to write similar xml
for my custom resource.
Can you help me pointing what can be the probable issue.


Regards
Dharmendra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/b731d816/attachment.htm>

From dharm.parakh at gmail.com  Mon Dec  8 12:12:31 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Mon, 8 Dec 2014 16:42:31 +0530
Subject: [midPoint] Custom Connector Issue
In-Reply-To: <CAKvVWqwj2E=O+anfihMqzZYTGXDoOHZ6OOziW6uFN3_-21Ph1g@mail.gmail.com>
References: <CAKvVWqwj2E=O+anfihMqzZYTGXDoOHZ6OOziW6uFN3_-21Ph1g@mail.gmail.com>
Message-ID: <CAKvVWqynm9_OX90wCsPAT8bBYixdc+gaHseyu5f61qf-ebyF+g@mail.gmail.com>

For your reference...

[image: Inline image 1]

On Mon, Dec 8, 2014 at 3:47 PM, dharmendra parakh <dharm.parakh at gmail.com>
wrote:

> Hi
>
> I am developing a custom connector which will provision a custom object
> class on openldap.
>
> I have written the code for connector using conn-id framework and deployed
> it on midpoint. I am able to see it listed in connectors list in my
> midpoint server.
>
> I have written a resource xml for this connector and when i try to import
> it i am getting an error :
>
> 2014-12-08 14:40:21,742 [PROVISIONING] [http-bio-8080-exec-3] ERROR
> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Complex
> run-time properties are not supported: type {
> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
> com.evolveum.midpoint.util.exception.SchemaException: Complex run-time
> properties are not supported: type {
> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
> at
> com.evolveum.midpoint.prism.parser.XNodeProcessor.parsePrismPropertyRealValueFromMap(XNodeProcessor.java:473)
> ~[prism-3.0.jar:na]
> at
> com.evolveum.midpoint.prism.parser.XNodeProcessor.parsePrismPropertyRealValue(XNodeProcessor.java:395)
> ~[prism-3.0.jar:na]
> at
> com.evolveum.midpoint.prism.PrismPropertyValue.parseRawElementToNewRealValue(PrismPropertyValue.java:357)
> ~[prism-3.0.jar:na]
> at
> com.evolveum.midpoint.prism.PrismPropertyValue.applyDefinition(PrismPropertyValue.java:162)
> ~[prism-3.0.jar:na]
> ....
> ....
>
> Caused by: com.evolveum.midpoint.repo.sql.util.DtoTranslationException:
> Complex run-time properties are not supported: type {
> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
> at
> com.evolveum.midpoint.repo.sql.data.audit.RAuditEventRecord.toRepo(RAuditEventRecord.java:398)
> ~[repo-sql-impl-3.0.jar:na]
> at
> com.evolveum.midpoint.repo.sql.SqlAuditServiceImpl.auditAttempt(SqlAuditServiceImpl.java:76)
> ~[repo-sql-impl-3.0.jar:na]
> ... 104 common frames omitted
> Caused by: com.evolveum.midpoint.repo.sql.util.DtoTranslationException:
> Complex run-time properties are not supported: type {
> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
> at
> com.evolveum.midpoint.repo.sql.data.audit.RObjectDeltaOperation.toRepo(RObjectDeltaOperation.java:218)
> ~[repo-sql-impl-3.0.jar:na]
> at
> com.evolveum.midpoint.repo.sql.data.audit.RAuditEventRecord.toRepo(RAuditEventRecord.java:393)
> ~[repo-sql-impl-3.0.jar:na]
> ... 105 common frames omitted
> Caused by: java.lang.IllegalStateException: Complex run-time properties
> are not supported: type {http://www.w3.org/2001/XMLSchema}string from
> XNode(map:1 entries)
> at
> com.evolveum.midpoint.prism.PrismPropertyValue.getValue(PrismPropertyValue.java:131)
> ~[prism-3.0.jar:na]
> at
> com.evolveum.midpoint.prism.parser.XNodeSerializer.serializePropertyValue(XNodeSerializer.java:330)
> ~[prism-3.0.jar:na]
> at
> com.evolveum.midpoint.prism.parser.XNodeSerializer.serializeItemValue(XNodeSerializer.java:208)
> ~[prism-3.0.jar:na]
> at
> com.evolveum.midpoint.prism.parser.XNodeSerializer.serializeItem(XNodeSerializer.java:115)
> ~[prism-3.0.jar:na]
> ..............
> ................
>
>
> If the connector is displayed in available connectors list i assume that
> it is bundled correctly and i used my ldap resource xml to write similar
> xml for my custom resource.
> Can you help me pointing what can be the probable issue.
>
>
> Regards
> Dharmendra
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/8eca3c6c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 131412 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/8eca3c6c/attachment.png>

From dharm.parakh at gmail.com  Mon Dec  8 13:11:45 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Mon, 8 Dec 2014 17:41:45 +0530
Subject: [midPoint] Custom Connector Issue
In-Reply-To: <CAKvVWqynm9_OX90wCsPAT8bBYixdc+gaHseyu5f61qf-ebyF+g@mail.gmail.com>
References: <CAKvVWqwj2E=O+anfihMqzZYTGXDoOHZ6OOziW6uFN3_-21Ph1g@mail.gmail.com>
 <CAKvVWqynm9_OX90wCsPAT8bBYixdc+gaHseyu5f61qf-ebyF+g@mail.gmail.com>
Message-ID: <CAKvVWqwJoLC31hLHD6ZMepEhN=huaf_GBFWecHRRUMimv2dVyQ@mail.gmail.com>

Hi

I was able to solve this issue.

Thanks!

On Mon, Dec 8, 2014 at 4:42 PM, dharmendra parakh <dharm.parakh at gmail.com>
wrote:

>
> For your reference...
>
> [image: Inline image 1]
>
> On Mon, Dec 8, 2014 at 3:47 PM, dharmendra parakh <dharm.parakh at gmail.com>
> wrote:
>
>> Hi
>>
>> I am developing a custom connector which will provision a custom object
>> class on openldap.
>>
>> I have written the code for connector using conn-id framework and
>> deployed it on midpoint. I am able to see it listed in connectors list in
>> my midpoint server.
>>
>> I have written a resource xml for this connector and when i try to import
>> it i am getting an error :
>>
>> 2014-12-08 14:40:21,742 [PROVISIONING] [http-bio-8080-exec-3] ERROR
>> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Complex
>> run-time properties are not supported: type {
>> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
>> com.evolveum.midpoint.util.exception.SchemaException: Complex run-time
>> properties are not supported: type {
>> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
>> at
>> com.evolveum.midpoint.prism.parser.XNodeProcessor.parsePrismPropertyRealValueFromMap(XNodeProcessor.java:473)
>> ~[prism-3.0.jar:na]
>> at
>> com.evolveum.midpoint.prism.parser.XNodeProcessor.parsePrismPropertyRealValue(XNodeProcessor.java:395)
>> ~[prism-3.0.jar:na]
>> at
>> com.evolveum.midpoint.prism.PrismPropertyValue.parseRawElementToNewRealValue(PrismPropertyValue.java:357)
>> ~[prism-3.0.jar:na]
>> at
>> com.evolveum.midpoint.prism.PrismPropertyValue.applyDefinition(PrismPropertyValue.java:162)
>> ~[prism-3.0.jar:na]
>> ....
>> ....
>>
>> Caused by: com.evolveum.midpoint.repo.sql.util.DtoTranslationException:
>> Complex run-time properties are not supported: type {
>> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
>> at
>> com.evolveum.midpoint.repo.sql.data.audit.RAuditEventRecord.toRepo(RAuditEventRecord.java:398)
>> ~[repo-sql-impl-3.0.jar:na]
>> at
>> com.evolveum.midpoint.repo.sql.SqlAuditServiceImpl.auditAttempt(SqlAuditServiceImpl.java:76)
>> ~[repo-sql-impl-3.0.jar:na]
>> ... 104 common frames omitted
>> Caused by: com.evolveum.midpoint.repo.sql.util.DtoTranslationException:
>> Complex run-time properties are not supported: type {
>> http://www.w3.org/2001/XMLSchema}string from XNode(map:1 entries)
>> at
>> com.evolveum.midpoint.repo.sql.data.audit.RObjectDeltaOperation.toRepo(RObjectDeltaOperation.java:218)
>> ~[repo-sql-impl-3.0.jar:na]
>> at
>> com.evolveum.midpoint.repo.sql.data.audit.RAuditEventRecord.toRepo(RAuditEventRecord.java:393)
>> ~[repo-sql-impl-3.0.jar:na]
>> ... 105 common frames omitted
>> Caused by: java.lang.IllegalStateException: Complex run-time properties
>> are not supported: type {http://www.w3.org/2001/XMLSchema}string from
>> XNode(map:1 entries)
>> at
>> com.evolveum.midpoint.prism.PrismPropertyValue.getValue(PrismPropertyValue.java:131)
>> ~[prism-3.0.jar:na]
>> at
>> com.evolveum.midpoint.prism.parser.XNodeSerializer.serializePropertyValue(XNodeSerializer.java:330)
>> ~[prism-3.0.jar:na]
>> at
>> com.evolveum.midpoint.prism.parser.XNodeSerializer.serializeItemValue(XNodeSerializer.java:208)
>> ~[prism-3.0.jar:na]
>> at
>> com.evolveum.midpoint.prism.parser.XNodeSerializer.serializeItem(XNodeSerializer.java:115)
>> ~[prism-3.0.jar:na]
>> ..............
>> ................
>>
>>
>> If the connector is displayed in available connectors list i assume that
>> it is bundled correctly and i used my ldap resource xml to write similar
>> xml for my custom resource.
>> Can you help me pointing what can be the probable issue.
>>
>>
>> Regards
>> Dharmendra
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/9cce59b8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 131412 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/9cce59b8/attachment.png>

From jeverling at bshp.edu  Mon Dec  8 16:51:40 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 09:51:40 -0600
Subject: [midPoint] Link User during New User Creation
Message-ID: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>

So here is the scenario,

There is a DBTable resource that already has all the accounts, midpoint
will not create or delete from this resource.

The user does not exist yet in Midpoint, The users are created in midpoint
using another DBTable resource.

How can I link the newly created user in Midpoint to their account in the
other resource,

I can do this by running a reconcile task on the resource but is there any
other way to link users to accounts on other resources since they already
exist without having to run reconcile on the resource everytime?

Thanks,
JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/4e554165/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  8 17:52:07 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 08 Dec 2014 17:52:07 +0100
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
Message-ID: <5485D737.2030604@evolveum.com>

Hi Jason,

in general, the deployment is as follows:

1. import/reconcile from source system(s) to create identities (users)
in midPoint. This may also create additional accounts in other systems
(i.e. that were not provisioned before).
2. create reconciliation tasks for all other systems, where the accounts
already exists and should be linked to midpoint identities.

Based on the mappings in your resources, the reconciliations may modify
the data on the reconciled resources (outbound mappings).

Technically, when midPoint user is assigned a role that should provision
account on target system and the account already exists (= can be
correlated), it will be updated. But the decision is made upon the
provisioning request.

So I'd recommend to setup the reconciliation tasks, and start them first
with the "dry-run" flag to see how many accounts can be correlated to
midPoint users.

Regards,
Ivan

On 12/08/2014 04:51 PM, Jason Everling wrote:
> So here is the scenario,
>
> There is a DBTable resource that already has all the accounts,
> midpoint will not create or delete from this resource.
>
> The user does not exist yet in Midpoint, The users are created in
> midpoint using another DBTable resource.
>
> How can I link the newly created user in Midpoint to their account in
> the other resource,
>
> I can do this by running a reconcile task on the resource but is there
> any other way to link users to accounts on other resources since they
> already exist without having to run reconcile on the resource everytime?
>
> Thanks,
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/184a3f6e/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 18:26:40 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 11:26:40 -0600
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <5485D737.2030604@evolveum.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
Message-ID: <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>

I figured that this was the case and I read on the wiki..

"Technically, when midPoint user is assigned a role that should provision
account on target system and the account already exists (= can be
correlated), it will be updated. But the decision is made upon the
provisioning request."

But it does not work, it errors out. Maybe because my resource has create
and delete disabled? Midpoint will never create or delete accounts in this
resource.

<cap:create>
                    <cap:enabled>false</cap:enabled>
                </cap:create>
                <cap:delete>
<cap:enabled>false</cap:enabled>
                </cap:delete>

Starting error,

com.evolveum.midpoint.util.exception.SystemException:
com.evolveum.midpoint.util.exception.SystemException:
java.lang.UnsupportedOperationException: Resource does not support 'create'
operation

This is when I have a role that has an inducement for this resource which I
would have thought would just link since it already exists, the correlation
is employeeNumber like all of my other resources.

JASON

On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> in general, the deployment is as follows:
>
> 1. import/reconcile from source system(s) to create identities (users) in
> midPoint. This may also create additional accounts in other systems (i.e.
> that were not provisioned before).
> 2. create reconciliation tasks for all other systems, where the accounts
> already exists and should be linked to midpoint identities.
>
> Based on the mappings in your resources, the reconciliations may modify
> the data on the reconciled resources (outbound mappings).
>
> Technically, when midPoint user is assigned a role that should provision
> account on target system and the account already exists (= can be
> correlated), it will be updated. But the decision is made upon the
> provisioning request.
>
> So I'd recommend to setup the reconciliation tasks, and start them first
> with the "dry-run" flag to see how many accounts can be correlated to
> midPoint users.
>
> Regards,
> Ivan
>
>
> On 12/08/2014 04:51 PM, Jason Everling wrote:
>
> So here is the scenario,
>
>  There is a DBTable resource that already has all the accounts, midpoint
> will not create or delete from this resource.
>
>  The user does not exist yet in Midpoint, The users are created in
> midpoint using another DBTable resource.
>
>  How can I link the newly created user in Midpoint to their account in
> the other resource,
>
>  I can do this by running a reconcile task on the resource but is there
> any other way to link users to accounts on other resources since they
> already exist without having to run reconcile on the resource everytime?
>
>  Thanks,
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/f4f2a011/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  8 18:42:09 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 08 Dec 2014 18:42:09 +0100
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
Message-ID: <5485E2F1.30307@evolveum.com>

Hi Jason,

as the error states, and based on what you've written earlier about
disabling creates, it's because the create capability is disabled
(deliberately). midPoint tries to create (add) account and the decision
that it should be converted to an update comes just after the collision
is detected.

I.

On 12/08/2014 06:26 PM, Jason Everling wrote:
> I figured that this was the case and I read on the wiki..
>
> "Technically, when midPoint user is assigned a role that should
> provision account on target system and the account already exists (=
> can be correlated), it will be updated. But the decision is made upon
> the provisioning request."
>
> But it does not work, it errors out. Maybe because my resource has
> create and delete disabled? Midpoint will never create or delete
> accounts in this resource.
>
> <cap:create>
>                     <cap:enabled>false</cap:enabled>
>                 </cap:create>
>                 <cap:delete>
> <cap:enabled>false</cap:enabled>
>                 </cap:delete>
>
> Starting error,
>
> com.evolveum.midpoint.util.exception.SystemException:
> com.evolveum.midpoint.util.exception.SystemException:
> java.lang.UnsupportedOperationException: Resource does not support
> 'create' operation
>
> This is when I have a role that has an inducement for this resource
> which I would have thought would just link since it already exists,
> the correlation is employeeNumber like all of my other resources.
>
> JASON
>
> On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     in general, the deployment is as follows:
>
>     1. import/reconcile from source system(s) to create identities
>     (users) in midPoint. This may also create additional accounts in
>     other systems (i.e. that were not provisioned before).
>     2. create reconciliation tasks for all other systems, where the
>     accounts already exists and should be linked to midpoint identities.
>
>     Based on the mappings in your resources, the reconciliations may
>     modify the data on the reconciled resources (outbound mappings).
>
>     Technically, when midPoint user is assigned a role that should
>     provision account on target system and the account already exists
>     (= can be correlated), it will be updated. But the decision is
>     made upon the provisioning request.
>
>     So I'd recommend to setup the reconciliation tasks, and start them
>     first with the "dry-run" flag to see how many accounts can be
>     correlated to midPoint users.
>
>     Regards,
>     Ivan
>
>
>     On 12/08/2014 04:51 PM, Jason Everling wrote:
>>     So here is the scenario,
>>
>>     There is a DBTable resource that already has all the accounts,
>>     midpoint will not create or delete from this resource.
>>
>>     The user does not exist yet in Midpoint, The users are created in
>>     midpoint using another DBTable resource.
>>
>>     How can I link the newly created user in Midpoint to their
>>     account in the other resource,
>>
>>     I can do this by running a reconcile task on the resource but is
>>     there any other way to link users to accounts on other resources
>>     since they already exist without having to run reconcile on the
>>     resource everytime?
>>
>>     Thanks,
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/538c8179/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 18:45:33 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 11:45:33 -0600
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <5485E2F1.30307@evolveum.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
Message-ID: <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>

Ok thanks, that is what I figured so I just wanted to make sure that was
the case. I am going to remove that configuration, it should never create
anyways, users will always be listed on that resource first way before
midpoint would ever even create the midpoint user account.

I could also just leave that and run Reconcile on the resource nightly, it
has 40,000 objects, that should not be an issue right?

JASON

On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> as the error states, and based on what you've written earlier about
> disabling creates, it's because the create capability is disabled
> (deliberately). midPoint tries to create (add) account and the decision
> that it should be converted to an update comes just after the collision is
> detected.
>
> I.
>
>
> On 12/08/2014 06:26 PM, Jason Everling wrote:
>
> I figured that this was the case and I read on the wiki..
>
> "Technically, when midPoint user is assigned a role that should provision
> account on target system and the account already exists (= can be
> correlated), it will be updated. But the decision is made upon the
> provisioning request."
>
>  But it does not work, it errors out. Maybe because my resource has
> create and delete disabled? Midpoint will never create or delete accounts
> in this resource.
>
>   <cap:create>
>                     <cap:enabled>false</cap:enabled>
>                 </cap:create>
>                 <cap:delete>
>  <cap:enabled>false</cap:enabled>
>                 </cap:delete>
>
>  Starting error,
>
>  com.evolveum.midpoint.util.exception.SystemException:
> com.evolveum.midpoint.util.exception.SystemException:
> java.lang.UnsupportedOperationException: Resource does not support 'create'
> operation
>
>  This is when I have a role that has an inducement for this resource
> which I would have thought would just link since it already exists, the
> correlation is employeeNumber like all of my other resources.
>
>  JASON
>
> On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> in general, the deployment is as follows:
>>
>> 1. import/reconcile from source system(s) to create identities (users) in
>> midPoint. This may also create additional accounts in other systems (i.e.
>> that were not provisioned before).
>> 2. create reconciliation tasks for all other systems, where the accounts
>> already exists and should be linked to midpoint identities.
>>
>> Based on the mappings in your resources, the reconciliations may modify
>> the data on the reconciled resources (outbound mappings).
>>
>> Technically, when midPoint user is assigned a role that should provision
>> account on target system and the account already exists (= can be
>> correlated), it will be updated. But the decision is made upon the
>> provisioning request.
>>
>> So I'd recommend to setup the reconciliation tasks, and start them first
>> with the "dry-run" flag to see how many accounts can be correlated to
>> midPoint users.
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/08/2014 04:51 PM, Jason Everling wrote:
>>
>>  So here is the scenario,
>>
>>  There is a DBTable resource that already has all the accounts, midpoint
>> will not create or delete from this resource.
>>
>>  The user does not exist yet in Midpoint, The users are created in
>> midpoint using another DBTable resource.
>>
>>  How can I link the newly created user in Midpoint to their account in
>> the other resource,
>>
>>  I can do this by running a reconcile task on the resource but is there
>> any other way to link users to accounts on other resources since they
>> already exist without having to run reconcile on the resource everytime?
>>
>>  Thanks,
>> JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/9da937f0/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  8 20:27:12 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 08 Dec 2014 20:27:12 +0100
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
Message-ID: <5485FB90.1000104@evolveum.com>

Hi Jason,

40.000 accounts is not an issue itself. Just be adwised that performance
strongly depends not only the number of users, but also on configuration
of mappings, logging, tracing etc. In other words, linking the account
is one thing, provisioning changes during the recon takes more time.

Anyway we appreciate any information about the performance in your case
when it's finished.

And don't forget to run the dry-run recon first to be sure about your
correlation rules.

Thanks,
Ivan

On 12/08/2014 06:45 PM, Jason Everling wrote:
> Ok thanks, that is what I figured so I just wanted to make sure that
> was the case. I am going to remove that configuration, it should never
> create anyways, users will always be listed on that resource first way
> before midpoint would ever even create the midpoint user account.
>
> I could also just leave that and run Reconcile on the resource
> nightly, it has 40,000 objects, that should not be an issue right?
>
> JASON
>
> On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     as the error states, and based on what you've written earlier
>     about disabling creates, it's because the create capability is
>     disabled (deliberately). midPoint tries to create (add) account
>     and the decision that it should be converted to an update comes
>     just after the collision is detected.
>
>     I.
>
>
>     On 12/08/2014 06:26 PM, Jason Everling wrote:
>>     I figured that this was the case and I read on the wiki..
>>
>>     "Technically, when midPoint user is assigned a role that should
>>     provision account on target system and the account already exists
>>     (= can be correlated), it will be updated. But the decision is
>>     made upon the provisioning request."
>>
>>     But it does not work, it errors out. Maybe because my resource
>>     has create and delete disabled? Midpoint will never create or
>>     delete accounts in this resource.
>>
>>     <cap:create>
>>                         <cap:enabled>false</cap:enabled>
>>                     </cap:create>
>>                     <cap:delete>
>>     <cap:enabled>false</cap:enabled>
>>                     </cap:delete>
>>
>>     Starting error,
>>
>>     com.evolveum.midpoint.util.exception.SystemException:
>>     com.evolveum.midpoint.util.exception.SystemException:
>>     java.lang.UnsupportedOperationException: Resource does not
>>     support 'create' operation
>>
>>     This is when I have a role that has an inducement for this
>>     resource which I would have thought would just link since it
>>     already exists, the correlation is employeeNumber like all of my
>>     other resources.
>>
>>     JASON
>>
>>     On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Hi Jason,
>>
>>         in general, the deployment is as follows:
>>
>>         1. import/reconcile from source system(s) to create
>>         identities (users) in midPoint. This may also create
>>         additional accounts in other systems (i.e. that were not
>>         provisioned before).
>>         2. create reconciliation tasks for all other systems, where
>>         the accounts already exists and should be linked to midpoint
>>         identities.
>>
>>         Based on the mappings in your resources, the reconciliations
>>         may modify the data on the reconciled resources (outbound
>>         mappings).
>>
>>         Technically, when midPoint user is assigned a role that
>>         should provision account on target system and the account
>>         already exists (= can be correlated), it will be updated. But
>>         the decision is made upon the provisioning request.
>>
>>         So I'd recommend to setup the reconciliation tasks, and start
>>         them first with the "dry-run" flag to see how many accounts
>>         can be correlated to midPoint users.
>>
>>         Regards,
>>         Ivan
>>
>>
>>         On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>         So here is the scenario,
>>>
>>>         There is a DBTable resource that already has all the
>>>         accounts, midpoint will not create or delete from this resource.
>>>
>>>         The user does not exist yet in Midpoint, The users are
>>>         created in midpoint using another DBTable resource.
>>>
>>>         How can I link the newly created user in Midpoint to their
>>>         account in the other resource,
>>>
>>>         I can do this by running a reconcile task on the resource
>>>         but is there any other way to link users to accounts on
>>>         other resources since they already exist without having to
>>>         run reconcile on the resource everytime?
>>>
>>>         Thanks,
>>>         JASON
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/ae6b9c55/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 21:08:49 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 14:08:49 -0600
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <5485FB90.1000104@evolveum.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
 <5485FB90.1000104@evolveum.com>
Message-ID: <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>

I did a reconcile already from that last time I figured out how to do it
from one of the previous discussions. I just didn't know if it were a
standard to do a daily recon on a resource.

It took 27 minutes to do a full Recon, I only have 6 attributes which 3 are
outbound and 3 is both in/out. Name, Last, Phone, Email, Department,
Profile (extension). This is a VMware VM on my workstation also, so
surprisingly fast because the virtual disk is on the same disk as 10 other
running VMs.

I have almost 6 different resources now, various types, 2 of which are this
type where the resource already has the accounts.

I also upgraded to 3.1 Snapshot, just so I am creating all the objects on
the latest version.



On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> 40.000 accounts is not an issue itself. Just be adwised that performance
> strongly depends not only the number of users, but also on configuration of
> mappings, logging, tracing etc. In other words, linking the account is one
> thing, provisioning changes during the recon takes more time.
>
> Anyway we appreciate any information about the performance in your case
> when it's finished.
>
> And don't forget to run the dry-run recon first to be sure about your
> correlation rules.
>
> Thanks,
> Ivan
>
>
> On 12/08/2014 06:45 PM, Jason Everling wrote:
>
> Ok thanks, that is what I figured so I just wanted to make sure that was
> the case. I am going to remove that configuration, it should never create
> anyways, users will always be listed on that resource first way before
> midpoint would ever even create the midpoint user account.
>
>  I could also just leave that and run Reconcile on the resource nightly,
> it has 40,000 objects, that should not be an issue right?
>
>  JASON
>
> On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> as the error states, and based on what you've written earlier about
>> disabling creates, it's because the create capability is disabled
>> (deliberately). midPoint tries to create (add) account and the decision
>> that it should be converted to an update comes just after the collision is
>> detected.
>>
>> I.
>>
>>
>> On 12/08/2014 06:26 PM, Jason Everling wrote:
>>
>> I figured that this was the case and I read on the wiki..
>>
>> "Technically, when midPoint user is assigned a role that should
>> provision account on target system and the account already exists (= can be
>> correlated), it will be updated. But the decision is made upon the
>> provisioning request."
>>
>>  But it does not work, it errors out. Maybe because my resource has
>> create and delete disabled? Midpoint will never create or delete accounts
>> in this resource.
>>
>>   <cap:create>
>>                     <cap:enabled>false</cap:enabled>
>>                 </cap:create>
>>                 <cap:delete>
>>  <cap:enabled>false</cap:enabled>
>>                 </cap:delete>
>>
>>  Starting error,
>>
>>  com.evolveum.midpoint.util.exception.SystemException:
>> com.evolveum.midpoint.util.exception.SystemException:
>> java.lang.UnsupportedOperationException: Resource does not support 'create'
>> operation
>>
>>  This is when I have a role that has an inducement for this resource
>> which I would have thought would just link since it already exists, the
>> correlation is employeeNumber like all of my other resources.
>>
>>  JASON
>>
>> On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> in general, the deployment is as follows:
>>>
>>> 1. import/reconcile from source system(s) to create identities (users)
>>> in midPoint. This may also create additional accounts in other systems
>>> (i.e. that were not provisioned before).
>>> 2. create reconciliation tasks for all other systems, where the accounts
>>> already exists and should be linked to midpoint identities.
>>>
>>> Based on the mappings in your resources, the reconciliations may modify
>>> the data on the reconciled resources (outbound mappings).
>>>
>>> Technically, when midPoint user is assigned a role that should provision
>>> account on target system and the account already exists (= can be
>>> correlated), it will be updated. But the decision is made upon the
>>> provisioning request.
>>>
>>> So I'd recommend to setup the reconciliation tasks, and start them first
>>> with the "dry-run" flag to see how many accounts can be correlated to
>>> midPoint users.
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>
>>>  So here is the scenario,
>>>
>>>  There is a DBTable resource that already has all the accounts,
>>> midpoint will not create or delete from this resource.
>>>
>>>  The user does not exist yet in Midpoint, The users are created in
>>> midpoint using another DBTable resource.
>>>
>>>  How can I link the newly created user in Midpoint to their account in
>>> the other resource,
>>>
>>>  I can do this by running a reconcile task on the resource but is there
>>> any other way to link users to accounts on other resources since they
>>> already exist without having to run reconcile on the resource everytime?
>>>
>>>  Thanks,
>>> JASON
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/d8f32511/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 21:54:18 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 14:54:18 -0600
Subject: [midPoint] Return without white spaces
Message-ID: <CAFkZXY6GGWozYG-S7MfYXQf_PiJC2aDNP+LYz8qxbcsG1PXLww@mail.gmail.com>

Within a few of my resources that are sql databases, when the attributes
sync into Midpoint it is also returning the extra white spaces for example
the attribute could be 8 characters but has an extra 27 spaces. I didn't
notice until I was looking at users profile in Midpoint and when I click on
the attribute it has the spaces, same in the XML user object like

<extension xmlns:gen189="http://whatever.com/my">
      <gen189:profile>Editors                 </gen189:profile>

All the extra spaces are pulled in,

I figured there would be a way in the attribute mapping to import the
attribute without.

JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/276d0e55/attachment.htm>

From mederly at evolveum.com  Mon Dec  8 21:55:31 2014
From: mederly at evolveum.com (Pavol Mederly)
Date: Mon, 08 Dec 2014 21:55:31 +0100
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
 <5485FB90.1000104@evolveum.com>
 <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>
Message-ID: <54861043.1010907@evolveum.com>

Jason,

are you sure it was really a full recon? :-) E.g. wasn't that a dry run 
in your case?

In my case, I have a testing OpenDJ LDAP server, a local PostgreSQL 
database, and a full recon takes approximately 80 milliseconds per user:

Finished resource part of object:...(Localhost OpenDJ) reconciliation: 
Processed 1004 account(s), got 0 error(s) Average time for one object: 
66.80677 ms (*wall clock time average: 77.61056 ms*).

Yours 27 minutes = 40,5 milliseconds per user seems to be quite 
impressive :)

Best regards,
Pavol

> I did a reconcile already from that last time I figured out how to do 
> it from one of the previous discussions. I just didn't know if it were 
> a standard to do a daily recon on a resource.
>
> It took 27 minutes to do a full Recon, I only have 6 attributes which 
> 3 are outbound and 3 is both in/out. Name, Last, Phone, Email, 
> Department, Profile (extension). This is a VMware VM on my workstation 
> also, so surprisingly fast because the virtual disk is on the same 
> disk as 10 other running VMs.
>
> I have almost 6 different resources now, various types, 2 of which are 
> this type where the resource already has the accounts.
>
> I also upgraded to 3.1 Snapshot, just so I am creating all the objects 
> on the latest version.
>
>
> On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris <ivan.noris at evolveum.com 
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     40.000 accounts is not an issue itself. Just be adwised that
>     performance strongly depends not only the number of users, but
>     also on configuration of mappings, logging, tracing etc. In other
>     words, linking the account is one thing, provisioning changes
>     during the recon takes more time.
>
>     Anyway we appreciate any information about the performance in your
>     case when it's finished.
>
>     And don't forget to run the dry-run recon first to be sure about
>     your correlation rules.
>
>     Thanks,
>     Ivan
>
>
>     On 12/08/2014 06:45 PM, Jason Everling wrote:
>>     Ok thanks, that is what I figured so I just wanted to make sure
>>     that was the case. I am going to remove that configuration, it
>>     should never create anyways, users will always be listed on that
>>     resource first way before midpoint would ever even create the
>>     midpoint user account.
>>
>>     I could also just leave that and run Reconcile on the resource
>>     nightly, it has 40,000 objects, that should not be an issue right?
>>
>>     JASON
>>
>>     On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Hi Jason,
>>
>>         as the error states, and based on what you've written earlier
>>         about disabling creates, it's because the create capability
>>         is disabled (deliberately). midPoint tries to create (add)
>>         account and the decision that it should be converted to an
>>         update comes just after the collision is detected.
>>
>>         I.
>>
>>
>>         On 12/08/2014 06:26 PM, Jason Everling wrote:
>>>         I figured that this was the case and I read on the wiki..
>>>
>>>         "Technically, when midPoint user is assigned a role that
>>>         should provision account on target system and the account
>>>         already exists (= can be correlated), it will be updated.
>>>         But the decision is made upon the provisioning request."
>>>
>>>         But it does not work, it errors out. Maybe because my
>>>         resource has create and delete disabled? Midpoint will never
>>>         create or delete accounts in this resource.
>>>
>>>         <cap:create>
>>>         <cap:enabled>false</cap:enabled>
>>>         </cap:create>
>>>         <cap:delete>
>>>         <cap:enabled>false</cap:enabled>
>>>         </cap:delete>
>>>
>>>         Starting error,
>>>
>>>         com.evolveum.midpoint.util.exception.SystemException:
>>>         com.evolveum.midpoint.util.exception.SystemException:
>>>         java.lang.UnsupportedOperationException: Resource does not
>>>         support 'create' operation
>>>
>>>         This is when I have a role that has an inducement for this
>>>         resource which I would have thought would just link since it
>>>         already exists, the correlation is employeeNumber like all
>>>         of my other resources.
>>>
>>>         JASON
>>>
>>>         On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris
>>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>>         wrote:
>>>
>>>             Hi Jason,
>>>
>>>             in general, the deployment is as follows:
>>>
>>>             1. import/reconcile from source system(s) to create
>>>             identities (users) in midPoint. This may also create
>>>             additional accounts in other systems (i.e. that were not
>>>             provisioned before).
>>>             2. create reconciliation tasks for all other systems,
>>>             where the accounts already exists and should be linked
>>>             to midpoint identities.
>>>
>>>             Based on the mappings in your resources, the
>>>             reconciliations may modify the data on the reconciled
>>>             resources (outbound mappings).
>>>
>>>             Technically, when midPoint user is assigned a role that
>>>             should provision account on target system and the
>>>             account already exists (= can be correlated), it will be
>>>             updated. But the decision is made upon the provisioning
>>>             request.
>>>
>>>             So I'd recommend to setup the reconciliation tasks, and
>>>             start them first with the "dry-run" flag to see how many
>>>             accounts can be correlated to midPoint users.
>>>
>>>             Regards,
>>>             Ivan
>>>
>>>
>>>             On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>>             So here is the scenario,
>>>>
>>>>             There is a DBTable resource that already has all the
>>>>             accounts, midpoint will not create or delete from this
>>>>             resource.
>>>>
>>>>             The user does not exist yet in Midpoint, The users are
>>>>             created in midpoint using another DBTable resource.
>>>>
>>>>             How can I link the newly created user in Midpoint to
>>>>             their account in the other resource,
>>>>
>>>>             I can do this by running a reconcile task on the
>>>>             resource but is there any other way to link users to
>>>>             accounts on other resources since they already exist
>>>>             without having to run reconcile on the resource everytime?
>>>>
>>>>             Thanks,
>>>>             JASON
>>>>
>>>>
>>>>
>>>>             CONFIDENTIALITY NOTICE:
>>>>             This e-mail together with any attachments is
>>>>             proprietary and confidential; intended for only the
>>>>             recipient(s) named above and may contain information
>>>>             that is privileged. You should not retain, copy or use
>>>>             this e-mail or any attachments for any purpose, or
>>>>             disclose all or any part of the contents to any person.
>>>>             Any views or opinions expressed in this e-mail are
>>>>             those of the author and do not represent those of the
>>>>             Baptist School of Health Professions. If you have
>>>>             received this e-mail in error, or are not the named
>>>>             recipient(s), you are hereby notified that any review,
>>>>             dissemination, distribution or copying of this
>>>>             communication is prohibited by the sender and to do so
>>>>             might constitute a violation of the Electronic
>>>>             Communications Privacy Act, 18 U.S.C. section
>>>>             2510-2521. Please immediately notify the sender and
>>>>             delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>>             _______________________________________________
>>>>             midPoint mailing list
>>>>             midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>             -- 
>>>                Ing. Ivan Noris
>>>                Senior Identity Management Engineer
>>>                evolveum.com  <http://evolveum.com>      evolveum.com/blog/  <http://evolveum.com/blog/>
>>>                _____________________________________________
>>>                "Semper Id(e)M Vix."
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>            Ing. Ivan Noris
>>            Senior Identity Management Engineer
>>            evolveum.com  <http://evolveum.com>      evolveum.com/blog/  <http://evolveum.com/blog/>
>>            _____________________________________________
>>            "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>        Ing. Ivan Noris
>        Senior Identity Management Engineer
>        evolveum.com  <http://evolveum.com>      evolveum.com/blog/  <http://evolveum.com/blog/>
>        _____________________________________________
>        "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/3f5eb652/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  8 22:23:52 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 08 Dec 2014 22:23:52 +0100
Subject: [midPoint] Return without white spaces
In-Reply-To: <CAFkZXY6GGWozYG-S7MfYXQf_PiJC2aDNP+LYz8qxbcsG1PXLww@mail.gmail.com>
References: <CAFkZXY6GGWozYG-S7MfYXQf_PiJC2aDNP+LYz8qxbcsG1PXLww@mail.gmail.com>
Message-ID: <548616E8.1060605@evolveum.com>

Jason,

you can use basic.trim(variable).

For inbounds, this could be for example:

. . .
<attribute>
<ref>ri:description</ref>
<inbound>
  <expression>
    <script>
      <code>basic.trim(*input*)</code>
    </script>
  </expression>
  <target>
    <path>$user/description</path>
  </target>
</inbound>
</attribute>
. . .

The *input* variable contains the value from that attribute that is
being processed.

Regards,
Ivan
                 
On 12/08/2014 09:54 PM, Jason Everling wrote:
> Within a few of my resources that are sql databases, when the
> attributes sync into Midpoint it is also returning the extra white
> spaces for example the attribute could be 8 characters but has an
> extra 27 spaces. I didn't notice until I was looking at users profile
> in Midpoint and when I click on the attribute it has the spaces, same
> in the XML user object like
>
> <extension xmlns:gen189="http://whatever.com/my">
>       <gen189:profile>Editors                 </gen189:profile>
>
> All the extra spaces are pulled in,
>
> I figured there would be a way in the attribute mapping to import the
> attribute without.
>
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/445868e7/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 22:32:36 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 15:32:36 -0600
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <54861043.1010907@evolveum.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
 <5485FB90.1000104@evolveum.com>
 <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>
 <54861043.1010907@evolveum.com>
Message-ID: <CAFkZXY6feX3SmB9Qg4ZtbP8ec9bhehD2YmrQ4-p1yG1OjN07Zg@mail.gmail.com>

Yeah, I just did another database, our collaboration application, this one
had almost 15000 records, now I am not sure if when Midpoint also has a lot
of accounts, my testing environment only has about 20 users. Took about 9
minutes, I am pretty sure it is a full recon, I am clicking new task,
selecting the resource and then running it,

Task run last started Monday, 8. Dec 2014 14:53:57  Task run last
finished Monday,
8. Dec 2014 15:02:58
1000000000000042505

com.evolveum.midpoint.common.operation.reconciliation.ResourceReconciliation
 SUCCESS
 Processed 14283 account(s), got 0 error(s)

On Mon, Dec 8, 2014 at 2:55 PM, Pavol Mederly <mederly at evolveum.com> wrote:

>  Jason,
>
> are you sure it was really a full recon? :-) E.g. wasn't that a dry run in
> your case?
>
> In my case, I have a testing OpenDJ LDAP server, a local PostgreSQL
> database, and a full recon takes approximately 80 milliseconds per user:
>
> Finished resource part of object:...(Localhost OpenDJ) reconciliation:
> Processed 1004 account(s), got 0 error(s) Average time for one object:
> 66.80677 ms (*wall clock time average: 77.61056 ms*).
>
> Yours 27 minutes = 40,5 milliseconds per user seems to be quite impressive
> :)
>
> Best regards,
> Pavol
>
>  I did a reconcile already from that last time I figured out how to do it
> from one of the previous discussions. I just didn't know if it were a
> standard to do a daily recon on a resource.
>
>  It took 27 minutes to do a full Recon, I only have 6 attributes which 3
> are outbound and 3 is both in/out. Name, Last, Phone, Email, Department,
> Profile (extension). This is a VMware VM on my workstation also, so
> surprisingly fast because the virtual disk is on the same disk as 10 other
> running VMs.
>
>  I have almost 6 different resources now, various types, 2 of which are
> this type where the resource already has the accounts.
>
>  I also upgraded to 3.1 Snapshot, just so I am creating all the objects
> on the latest version.
>
>
>
> On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> 40.000 accounts is not an issue itself. Just be adwised that performance
>> strongly depends not only the number of users, but also on configuration of
>> mappings, logging, tracing etc. In other words, linking the account is one
>> thing, provisioning changes during the recon takes more time.
>>
>> Anyway we appreciate any information about the performance in your case
>> when it's finished.
>>
>> And don't forget to run the dry-run recon first to be sure about your
>> correlation rules.
>>
>> Thanks,
>> Ivan
>>
>>
>> On 12/08/2014 06:45 PM, Jason Everling wrote:
>>
>> Ok thanks, that is what I figured so I just wanted to make sure that was
>> the case. I am going to remove that configuration, it should never create
>> anyways, users will always be listed on that resource first way before
>> midpoint would ever even create the midpoint user account.
>>
>>  I could also just leave that and run Reconcile on the resource nightly,
>> it has 40,000 objects, that should not be an issue right?
>>
>>  JASON
>>
>> On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> as the error states, and based on what you've written earlier about
>>> disabling creates, it's because the create capability is disabled
>>> (deliberately). midPoint tries to create (add) account and the decision
>>> that it should be converted to an update comes just after the collision is
>>> detected.
>>>
>>> I.
>>>
>>>
>>> On 12/08/2014 06:26 PM, Jason Everling wrote:
>>>
>>> I figured that this was the case and I read on the wiki..
>>>
>>> "Technically, when midPoint user is assigned a role that should
>>> provision account on target system and the account already exists (= can be
>>> correlated), it will be updated. But the decision is made upon the
>>> provisioning request."
>>>
>>>  But it does not work, it errors out. Maybe because my resource has
>>> create and delete disabled? Midpoint will never create or delete accounts
>>> in this resource.
>>>
>>>   <cap:create>
>>>                     <cap:enabled>false</cap:enabled>
>>>                 </cap:create>
>>>                 <cap:delete>
>>>  <cap:enabled>false</cap:enabled>
>>>                 </cap:delete>
>>>
>>>  Starting error,
>>>
>>>  com.evolveum.midpoint.util.exception.SystemException:
>>> com.evolveum.midpoint.util.exception.SystemException:
>>> java.lang.UnsupportedOperationException: Resource does not support 'create'
>>> operation
>>>
>>>  This is when I have a role that has an inducement for this resource
>>> which I would have thought would just link since it already exists, the
>>> correlation is employeeNumber like all of my other resources.
>>>
>>>  JASON
>>>
>>> On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> in general, the deployment is as follows:
>>>>
>>>> 1. import/reconcile from source system(s) to create identities (users)
>>>> in midPoint. This may also create additional accounts in other systems
>>>> (i.e. that were not provisioned before).
>>>> 2. create reconciliation tasks for all other systems, where the
>>>> accounts already exists and should be linked to midpoint identities.
>>>>
>>>> Based on the mappings in your resources, the reconciliations may modify
>>>> the data on the reconciled resources (outbound mappings).
>>>>
>>>> Technically, when midPoint user is assigned a role that should
>>>> provision account on target system and the account already exists (= can be
>>>> correlated), it will be updated. But the decision is made upon the
>>>> provisioning request.
>>>>
>>>> So I'd recommend to setup the reconciliation tasks, and start them
>>>> first with the "dry-run" flag to see how many accounts can be correlated to
>>>> midPoint users.
>>>>
>>>> Regards,
>>>> Ivan
>>>>
>>>>
>>>> On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>>
>>>>  So here is the scenario,
>>>>
>>>>  There is a DBTable resource that already has all the accounts,
>>>> midpoint will not create or delete from this resource.
>>>>
>>>>  The user does not exist yet in Midpoint, The users are created in
>>>> midpoint using another DBTable resource.
>>>>
>>>>  How can I link the newly created user in Midpoint to their account in
>>>> the other resource,
>>>>
>>>>  I can do this by running a reconcile task on the resource but is
>>>> there any other way to link users to accounts on other resources since they
>>>> already exist without having to run reconcile on the resource everytime?
>>>>
>>>>  Thanks,
>>>> JASON
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/f60e8b94/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 22:34:34 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 15:34:34 -0600
Subject: [midPoint] Return without white spaces
In-Reply-To: <548616E8.1060605@evolveum.com>
References: <CAFkZXY6GGWozYG-S7MfYXQf_PiJC2aDNP+LYz8qxbcsG1PXLww@mail.gmail.com>
 <548616E8.1060605@evolveum.com>
Message-ID: <CAFkZXY6RgL0HWkWsoytQAce+0vJkQvVO6H5r9JZYEV35evoF3A@mail.gmail.com>

You make it look so easy! I google'd forever and tried to do it myself and
it looked way more complicated than this,

Thanks!

JASON

On Mon, Dec 8, 2014 at 3:23 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> you can use basic.trim(variable).
>
> For inbounds, this could be for example:
>
> . . .
> <attribute>
> <ref>ri:description</ref>
> <inbound>
>   <expression>
>     <script>
>       <code>basic.trim(*input*)</code>
>     </script>
>   </expression>
>   <target>
>     <path>$user/description</path>
>   </target>
> </inbound>
> </attribute>
> . . .
>
> The *input* variable contains the value from that attribute that is being
> processed.
>
> Regards,
> Ivan
>
>
> On 12/08/2014 09:54 PM, Jason Everling wrote:
>
> Within a few of my resources that are sql databases, when the attributes
> sync into Midpoint it is also returning the extra white spaces for example
> the attribute could be 8 characters but has an extra 27 spaces. I didn't
> notice until I was looking at users profile in Midpoint and when I click on
> the attribute it has the spaces, same in the XML user object like
>
>  <extension xmlns:gen189="http://whatever.com/my">
>       <gen189:profile>Editors                 </gen189:profile>
>
>  All the extra spaces are pulled in,
>
>  I figured there would be a way in the attribute mapping to import the
> attribute without.
>
>  JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/56e6e50a/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  8 22:40:22 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 08 Dec 2014 22:40:22 +0100
Subject: [midPoint] Return without white spaces
In-Reply-To: <CAFkZXY6RgL0HWkWsoytQAce+0vJkQvVO6H5r9JZYEV35evoF3A@mail.gmail.com>
References: <CAFkZXY6GGWozYG-S7MfYXQf_PiJC2aDNP+LYz8qxbcsG1PXLww@mail.gmail.com>
 <548616E8.1060605@evolveum.com>
 <CAFkZXY6RgL0HWkWsoytQAce+0vJkQvVO6H5r9JZYEV35evoF3A@mail.gmail.com>
Message-ID: <54861AC6.80203@evolveum.com>

Jason,

it's possible to use also Java/Groovy trim methods or anything you wish;
but we have some already handy in midPoint libraries.

The point is to know that during inbound processing, the original
attribute value from resource is in the variable named "input".

Of course you can check the variable for null before calling some string
methods on it etc.

See: https://wiki.evolveum.com/display/midPoint/Script+Expression+Functions

Regards,
Ivan

On 12/08/2014 10:34 PM, Jason Everling wrote:
> You make it look so easy! I google'd forever and tried to do it myself
> and it looked way more complicated than this,
>
> Thanks!
>
> JASON
>
> On Mon, Dec 8, 2014 at 3:23 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason,
>
>     you can use basic.trim(variable).
>
>     For inbounds, this could be for example:
>
>     . . .
>     <attribute>
>     <ref>ri:description</ref>
>     <inbound>
>       <expression>
>         <script>
>           <code>basic.trim(*input*)</code>
>         </script>
>       </expression>
>       <target>
>         <path>$user/description</path>
>       </target>
>     </inbound>
>     </attribute>
>     . . .
>
>     The *input* variable contains the value from that attribute that
>     is being processed.
>
>     Regards,
>     Ivan
>
>                      
>     On 12/08/2014 09:54 PM, Jason Everling wrote:
>>     Within a few of my resources that are sql databases, when the
>>     attributes sync into Midpoint it is also returning the extra
>>     white spaces for example the attribute could be 8 characters but
>>     has an extra 27 spaces. I didn't notice until I was looking at
>>     users profile in Midpoint and when I click on the attribute it
>>     has the spaces, same in the XML user object like
>>
>>     <extension xmlns:gen189="http://whatever.com/my">
>>           <gen189:profile>Editors                 </gen189:profile>
>>
>>     All the extra spaces are pulled in,
>>
>>     I figured there would be a way in the attribute mapping to import
>>     the attribute without.
>>
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/58e88aa0/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec  8 22:44:59 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 08 Dec 2014 22:44:59 +0100
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <CAFkZXY6feX3SmB9Qg4ZtbP8ec9bhehD2YmrQ4-p1yG1OjN07Zg@mail.gmail.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
 <5485FB90.1000104@evolveum.com>
 <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>
 <54861043.1010907@evolveum.com>
 <CAFkZXY6feX3SmB9Qg4ZtbP8ec9bhehD2YmrQ4-p1yG1OjN07Zg@mail.gmail.com>
Message-ID: <54861BDB.4080409@evolveum.com>

Jason,

what actions took place for the reconciliation? I.e. what situations
were configured to to apply what reaction?

If you were only linking (unlinked->linkAccount), not creating new users
in midPoint, I guess only about 20 users were linked and the rest of the
accounts were just searched and skipped after correlation expression has
been applied.

The recon results can be displayed by clicking Configuration - Shadow
Details and selecting the resource, kind and intent. In your case,
kind="account" and intent is almost for sure "default". You will see the
numbers/statistics of the accounts there.

I'd expect about 20 linked and the rest unmatched.

Regards,
I.

On 12/08/2014 10:32 PM, Jason Everling wrote:
> Yeah, I just did another database, our collaboration application, this
> one had almost 15000 records, now I am not sure if when Midpoint also
> has a lot of accounts, my testing environment only has about 20 users.
> Took about 9 minutes, I am pretty sure it is a full recon, I am
> clicking new task, selecting the resource and then running it,
>
> Task run last started 	Monday, 8. Dec 2014 14:53:57
> Task run last finished 	Monday, 8. Dec 2014 15:02:58
>
>
> 1000000000000042505
> 	
> com.evolveum.midpoint.common.operation.reconciliation.ResourceReconciliation
> 	
> SUCCESS
> 	
> Processed 14283 account(s), got 0 error(s)
>
>
> On Mon, Dec 8, 2014 at 2:55 PM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
>     Jason,
>
>     are you sure it was really a full recon? :-) E.g. wasn't that a
>     dry run in your case?
>
>     In my case, I have a testing OpenDJ LDAP server, a local
>     PostgreSQL database, and a full recon takes approximately 80
>     milliseconds per user:
>
>     Finished resource part of object:...(Localhost OpenDJ)
>     reconciliation: Processed 1004 account(s), got 0 error(s) Average
>     time for one object: 66.80677 ms (*wall clock time average:
>     77.61056 ms*).
>
>     Yours 27 minutes = 40,5 milliseconds per user seems to be quite
>     impressive :)
>
>     Best regards,
>     Pavol
>
>>     I did a reconcile already from that last time I figured out how
>>     to do it from one of the previous discussions. I just didn't know
>>     if it were a standard to do a daily recon on a resource.
>>
>>     It took 27 minutes to do a full Recon, I only have 6 attributes
>>     which 3 are outbound and 3 is both in/out. Name, Last, Phone,
>>     Email, Department, Profile (extension). This is a VMware VM on my
>>     workstation also, so surprisingly fast because the virtual disk
>>     is on the same disk as 10 other running VMs.
>>
>>     I have almost 6 different resources now, various types, 2 of
>>     which are this type where the resource already has the accounts.
>>
>>     I also upgraded to 3.1 Snapshot, just so I am creating all the
>>     objects on the latest version.
>>
>>      
>>
>>     On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Hi Jason,
>>
>>         40.000 accounts is not an issue itself. Just be adwised that
>>         performance strongly depends not only the number of users,
>>         but also on configuration of mappings, logging, tracing etc.
>>         In other words, linking the account is one thing,
>>         provisioning changes during the recon takes more time.
>>
>>         Anyway we appreciate any information about the performance in
>>         your case when it's finished.
>>
>>         And don't forget to run the dry-run recon first to be sure
>>         about your correlation rules.
>>
>>         Thanks,
>>         Ivan
>>
>>
>>         On 12/08/2014 06:45 PM, Jason Everling wrote:
>>>         Ok thanks, that is what I figured so I just wanted to make
>>>         sure that was the case. I am going to remove that
>>>         configuration, it should never create anyways, users will
>>>         always be listed on that resource first way before midpoint
>>>         would ever even create the midpoint user account.
>>>
>>>         I could also just leave that and run Reconcile on the
>>>         resource nightly, it has 40,000 objects, that should not be
>>>         an issue right?
>>>
>>>         JASON
>>>
>>>         On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris
>>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>>         wrote:
>>>
>>>             Hi Jason,
>>>
>>>             as the error states, and based on what you've written
>>>             earlier about disabling creates, it's because the create
>>>             capability is disabled (deliberately). midPoint tries to
>>>             create (add) account and the decision that it should be
>>>             converted to an update comes just after the collision is
>>>             detected.
>>>
>>>             I.
>>>
>>>
>>>             On 12/08/2014 06:26 PM, Jason Everling wrote:
>>>>             I figured that this was the case and I read on the wiki..
>>>>
>>>>             "Technically, when midPoint user is assigned a role
>>>>             that should provision account on target system and the
>>>>             account already exists (= can be correlated), it will
>>>>             be updated. But the decision is made upon the
>>>>             provisioning request."
>>>>
>>>>             But it does not work, it errors out. Maybe because my
>>>>             resource has create and delete disabled? Midpoint will
>>>>             never create or delete accounts in this resource.
>>>>
>>>>             <cap:create>
>>>>                                 <cap:enabled>false</cap:enabled>
>>>>                             </cap:create>
>>>>                             <cap:delete>
>>>>             <cap:enabled>false</cap:enabled>
>>>>                             </cap:delete>
>>>>
>>>>             Starting error,
>>>>
>>>>             com.evolveum.midpoint.util.exception.SystemException:
>>>>             com.evolveum.midpoint.util.exception.SystemException:
>>>>             java.lang.UnsupportedOperationException: Resource does
>>>>             not support 'create' operation
>>>>
>>>>             This is when I have a role that has an inducement for
>>>>             this resource which I would have thought would just
>>>>             link since it already exists, the correlation is
>>>>             employeeNumber like all of my other resources.
>>>>
>>>>             JASON
>>>>
>>>>             On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris
>>>>             <ivan.noris at evolveum.com
>>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>>
>>>>                 Hi Jason,
>>>>
>>>>                 in general, the deployment is as follows:
>>>>
>>>>                 1. import/reconcile from source system(s) to create
>>>>                 identities (users) in midPoint. This may also
>>>>                 create additional accounts in other systems (i.e.
>>>>                 that were not provisioned before).
>>>>                 2. create reconciliation tasks for all other
>>>>                 systems, where the accounts already exists and
>>>>                 should be linked to midpoint identities.
>>>>
>>>>                 Based on the mappings in your resources, the
>>>>                 reconciliations may modify the data on the
>>>>                 reconciled resources (outbound mappings).
>>>>
>>>>                 Technically, when midPoint user is assigned a role
>>>>                 that should provision account on target system and
>>>>                 the account already exists (= can be correlated),
>>>>                 it will be updated. But the decision is made upon
>>>>                 the provisioning request.
>>>>
>>>>                 So I'd recommend to setup the reconciliation tasks,
>>>>                 and start them first with the "dry-run" flag to see
>>>>                 how many accounts can be correlated to midPoint users.
>>>>
>>>>                 Regards,
>>>>                 Ivan
>>>>
>>>>
>>>>                 On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>>>                 So here is the scenario,
>>>>>
>>>>>                 There is a DBTable resource that already has all
>>>>>                 the accounts, midpoint will not create or delete
>>>>>                 from this resource.
>>>>>
>>>>>                 The user does not exist yet in Midpoint, The users
>>>>>                 are created in midpoint using another DBTable
>>>>>                 resource.
>>>>>
>>>>>                 How can I link the newly created user in Midpoint
>>>>>                 to their account in the other resource,
>>>>>
>>>>>                 I can do this by running a reconcile task on the
>>>>>                 resource but is there any other way to link users
>>>>>                 to accounts on other resources since they already
>>>>>                 exist without having to run reconcile on the
>>>>>                 resource everytime?
>>>>>
>>>>>                 Thanks,
>>>>>                 JASON
>>>>>
>>>>>
>>>>>
>>>>>                 CONFIDENTIALITY NOTICE:
>>>>>                 This e-mail together with any attachments is
>>>>>                 proprietary and confidential; intended for only
>>>>>                 the recipient(s) named above and may contain
>>>>>                 information that is privileged. You should not
>>>>>                 retain, copy or use this e-mail or any attachments
>>>>>                 for any purpose, or disclose all or any part of
>>>>>                 the contents to any person. Any views or opinions
>>>>>                 expressed in this e-mail are those of the author
>>>>>                 and do not represent those of the Baptist School
>>>>>                 of Health Professions. If you have received this
>>>>>                 e-mail in error, or are not the named
>>>>>                 recipient(s), you are hereby notified that any
>>>>>                 review, dissemination, distribution or copying of
>>>>>                 this communication is prohibited by the sender and
>>>>>                 to do so might constitute a violation of the
>>>>>                 Electronic Communications Privacy Act, 18 U.S.C.
>>>>>                 section 2510-2521. Please immediately notify the
>>>>>                 sender and delete this e-mail and any attachments
>>>>>                 from your computer.
>>>>>
>>>>>
>>>>>                 _______________________________________________
>>>>>                 midPoint mailing list
>>>>>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>                 -- 
>>>>                   Ing. Ivan Noris
>>>>                   Senior Identity Management Engineer
>>>>                   evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>                   _____________________________________________
>>>>                   "Semper Id(e)M Vix."
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com
>>>>                 <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             CONFIDENTIALITY NOTICE:
>>>>             This e-mail together with any attachments is
>>>>             proprietary and confidential; intended for only the
>>>>             recipient(s) named above and may contain information
>>>>             that is privileged. You should not retain, copy or use
>>>>             this e-mail or any attachments for any purpose, or
>>>>             disclose all or any part of the contents to any person.
>>>>             Any views or opinions expressed in this e-mail are
>>>>             those of the author and do not represent those of the
>>>>             Baptist School of Health Professions. If you have
>>>>             received this e-mail in error, or are not the named
>>>>             recipient(s), you are hereby notified that any review,
>>>>             dissemination, distribution or copying of this
>>>>             communication is prohibited by the sender and to do so
>>>>             might constitute a violation of the Electronic
>>>>             Communications Privacy Act, 18 U.S.C. section
>>>>             2510-2521. Please immediately notify the sender and
>>>>             delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>>             _______________________________________________
>>>>             midPoint mailing list
>>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>             -- 
>>>               Ing. Ivan Noris
>>>               Senior Identity Management Engineer
>>>               evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>               _____________________________________________
>>>               "Semper Id(e)M Vix."
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/d988d876/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 22:53:06 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 15:53:06 -0600
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <54861BDB.4080409@evolveum.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
 <5485FB90.1000104@evolveum.com>
 <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>
 <54861043.1010907@evolveum.com>
 <CAFkZXY6feX3SmB9Qg4ZtbP8ec9bhehD2YmrQ4-p1yG1OjN07Zg@mail.gmail.com>
 <54861BDB.4080409@evolveum.com>
Message-ID: <CAFkZXY5a0pEMLB-Bi2YkBSU6fyBKb919XAV0PUFfff5=WyE-mw@mail.gmail.com>

Correct! Now when this is actually in production it should change to about
1000 from 20, we normally have about 1000 active students/faculty/staff
every semester. The initial deployment I do not plan on importing all
accounts, some are from many many years ago. That what all the sync
conditions were for,

Linked 19 Unmatched 14266Disputed 0 Unlinked 0 Nothing 0

On Mon, Dec 8, 2014 at 3:44 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> what actions took place for the reconciliation? I.e. what situations were
> configured to to apply what reaction?
>
> If you were only linking (unlinked->linkAccount), not creating new users
> in midPoint, I guess only about 20 users were linked and the rest of the
> accounts were just searched and skipped after correlation expression has
> been applied.
>
> The recon results can be displayed by clicking Configuration - Shadow
> Details and selecting the resource, kind and intent. In your case,
> kind="account" and intent is almost for sure "default". You will see the
> numbers/statistics of the accounts there.
>
> I'd expect about 20 linked and the rest unmatched.
>
> Regards,
> I.
>
>
> On 12/08/2014 10:32 PM, Jason Everling wrote:
>
> Yeah, I just did another database, our collaboration application, this one
> had almost 15000 records, now I am not sure if when Midpoint also has a lot
> of accounts, my testing environment only has about 20 users. Took about 9
> minutes, I am pretty sure it is a full recon, I am clicking new task,
> selecting the resource and then running it,
>
>    Task run last started Monday, 8. Dec 2014 14:53:57  Task run last
> finished Monday, 8. Dec 2014 15:02:58
>    1000000000000042505
>
> com.evolveum.midpoint.common.operation.reconciliation.ResourceReconciliation
>  SUCCESS
>  Processed 14283 account(s), got 0 error(s)
>
> On Mon, Dec 8, 2014 at 2:55 PM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>>  Jason,
>>
>> are you sure it was really a full recon? :-) E.g. wasn't that a dry run
>> in your case?
>>
>> In my case, I have a testing OpenDJ LDAP server, a local PostgreSQL
>> database, and a full recon takes approximately 80 milliseconds per user:
>>
>> Finished resource part of object:...(Localhost OpenDJ) reconciliation:
>> Processed 1004 account(s), got 0 error(s) Average time for one object:
>> 66.80677 ms (*wall clock time average: 77.61056 ms*).
>>
>> Yours 27 minutes = 40,5 milliseconds per user seems to be quite
>> impressive :)
>>
>> Best regards,
>> Pavol
>>
>>   I did a reconcile already from that last time I figured out how to do
>> it from one of the previous discussions. I just didn't know if it were a
>> standard to do a daily recon on a resource.
>>
>>  It took 27 minutes to do a full Recon, I only have 6 attributes which 3
>> are outbound and 3 is both in/out. Name, Last, Phone, Email, Department,
>> Profile (extension). This is a VMware VM on my workstation also, so
>> surprisingly fast because the virtual disk is on the same disk as 10 other
>> running VMs.
>>
>>  I have almost 6 different resources now, various types, 2 of which are
>> this type where the resource already has the accounts.
>>
>>  I also upgraded to 3.1 Snapshot, just so I am creating all the objects
>> on the latest version.
>>
>>
>>
>> On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> 40.000 accounts is not an issue itself. Just be adwised that performance
>>> strongly depends not only the number of users, but also on configuration of
>>> mappings, logging, tracing etc. In other words, linking the account is one
>>> thing, provisioning changes during the recon takes more time.
>>>
>>> Anyway we appreciate any information about the performance in your case
>>> when it's finished.
>>>
>>> And don't forget to run the dry-run recon first to be sure about your
>>> correlation rules.
>>>
>>> Thanks,
>>> Ivan
>>>
>>>
>>> On 12/08/2014 06:45 PM, Jason Everling wrote:
>>>
>>> Ok thanks, that is what I figured so I just wanted to make sure that was
>>> the case. I am going to remove that configuration, it should never create
>>> anyways, users will always be listed on that resource first way before
>>> midpoint would ever even create the midpoint user account.
>>>
>>>  I could also just leave that and run Reconcile on the resource
>>> nightly, it has 40,000 objects, that should not be an issue right?
>>>
>>>  JASON
>>>
>>> On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> as the error states, and based on what you've written earlier about
>>>> disabling creates, it's because the create capability is disabled
>>>> (deliberately). midPoint tries to create (add) account and the decision
>>>> that it should be converted to an update comes just after the collision is
>>>> detected.
>>>>
>>>> I.
>>>>
>>>>
>>>> On 12/08/2014 06:26 PM, Jason Everling wrote:
>>>>
>>>> I figured that this was the case and I read on the wiki..
>>>>
>>>> "Technically, when midPoint user is assigned a role that should
>>>> provision account on target system and the account already exists (= can be
>>>> correlated), it will be updated. But the decision is made upon the
>>>> provisioning request."
>>>>
>>>>  But it does not work, it errors out. Maybe because my resource has
>>>> create and delete disabled? Midpoint will never create or delete accounts
>>>> in this resource.
>>>>
>>>>   <cap:create>
>>>>                     <cap:enabled>false</cap:enabled>
>>>>                 </cap:create>
>>>>                 <cap:delete>
>>>>  <cap:enabled>false</cap:enabled>
>>>>                 </cap:delete>
>>>>
>>>>  Starting error,
>>>>
>>>>  com.evolveum.midpoint.util.exception.SystemException:
>>>> com.evolveum.midpoint.util.exception.SystemException:
>>>> java.lang.UnsupportedOperationException: Resource does not support 'create'
>>>> operation
>>>>
>>>>  This is when I have a role that has an inducement for this resource
>>>> which I would have thought would just link since it already exists, the
>>>> correlation is employeeNumber like all of my other resources.
>>>>
>>>>  JASON
>>>>
>>>> On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> in general, the deployment is as follows:
>>>>>
>>>>> 1. import/reconcile from source system(s) to create identities (users)
>>>>> in midPoint. This may also create additional accounts in other systems
>>>>> (i.e. that were not provisioned before).
>>>>> 2. create reconciliation tasks for all other systems, where the
>>>>> accounts already exists and should be linked to midpoint identities.
>>>>>
>>>>> Based on the mappings in your resources, the reconciliations may
>>>>> modify the data on the reconciled resources (outbound mappings).
>>>>>
>>>>> Technically, when midPoint user is assigned a role that should
>>>>> provision account on target system and the account already exists (= can be
>>>>> correlated), it will be updated. But the decision is made upon the
>>>>> provisioning request.
>>>>>
>>>>> So I'd recommend to setup the reconciliation tasks, and start them
>>>>> first with the "dry-run" flag to see how many accounts can be correlated to
>>>>> midPoint users.
>>>>>
>>>>> Regards,
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>>>
>>>>>  So here is the scenario,
>>>>>
>>>>>  There is a DBTable resource that already has all the accounts,
>>>>> midpoint will not create or delete from this resource.
>>>>>
>>>>>  The user does not exist yet in Midpoint, The users are created in
>>>>> midpoint using another DBTable resource.
>>>>>
>>>>>  How can I link the newly created user in Midpoint to their account
>>>>> in the other resource,
>>>>>
>>>>>  I can do this by running a reconcile task on the resource but is
>>>>> there any other way to link users to accounts on other resources since they
>>>>> already exist without having to run reconcile on the resource everytime?
>>>>>
>>>>>  Thanks,
>>>>> JASON
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com     evolveum.com/blog/
>>>>>   _____________________________________________
>>>>>   "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/f880a8f1/attachment.htm>

From jeverling at bshp.edu  Mon Dec  8 22:55:51 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 8 Dec 2014 15:55:51 -0600
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <CAFkZXY5a0pEMLB-Bi2YkBSU6fyBKb919XAV0PUFfff5=WyE-mw@mail.gmail.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
 <5485FB90.1000104@evolveum.com>
 <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>
 <54861043.1010907@evolveum.com>
 <CAFkZXY6feX3SmB9Qg4ZtbP8ec9bhehD2YmrQ4-p1yG1OjN07Zg@mail.gmail.com>
 <54861BDB.4080409@evolveum.com>
 <CAFkZXY5a0pEMLB-Bi2YkBSU6fyBKb919XAV0PUFfff5=WyE-mw@mail.gmail.com>
Message-ID: <CAFkZXY4nJhkAf39u=qVMm-YvxQ+KVw=HtjstLsysDnEieBiUqw@mail.gmail.com>

I missed a few of your other questions, the reactions are to only match,
unlink, or link.

JASON

On Mon, Dec 8, 2014 at 3:53 PM, Jason Everling <jeverling at bshp.edu> wrote:

> Correct! Now when this is actually in production it should change to about
> 1000 from 20, we normally have about 1000 active students/faculty/staff
> every semester. The initial deployment I do not plan on importing all
> accounts, some are from many many years ago. That what all the sync
> conditions were for,
>
> Linked 19 Unmatched 14266Disputed 0 Unlinked 0 Nothing 0
>
> On Mon, Dec 8, 2014 at 3:44 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason,
>>
>> what actions took place for the reconciliation? I.e. what situations were
>> configured to to apply what reaction?
>>
>> If you were only linking (unlinked->linkAccount), not creating new users
>> in midPoint, I guess only about 20 users were linked and the rest of the
>> accounts were just searched and skipped after correlation expression has
>> been applied.
>>
>> The recon results can be displayed by clicking Configuration - Shadow
>> Details and selecting the resource, kind and intent. In your case,
>> kind="account" and intent is almost for sure "default". You will see the
>> numbers/statistics of the accounts there.
>>
>> I'd expect about 20 linked and the rest unmatched.
>>
>> Regards,
>> I.
>>
>>
>> On 12/08/2014 10:32 PM, Jason Everling wrote:
>>
>> Yeah, I just did another database, our collaboration application, this
>> one had almost 15000 records, now I am not sure if when Midpoint also has a
>> lot of accounts, my testing environment only has about 20 users. Took about
>> 9 minutes, I am pretty sure it is a full recon, I am clicking new task,
>> selecting the resource and then running it,
>>
>>    Task run last started Monday, 8. Dec 2014 14:53:57  Task run last
>> finished Monday, 8. Dec 2014 15:02:58
>>    1000000000000042505
>>
>> com.evolveum.midpoint.common.operation.reconciliation.ResourceReconciliation
>>  SUCCESS
>>  Processed 14283 account(s), got 0 error(s)
>>
>> On Mon, Dec 8, 2014 at 2:55 PM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>>  Jason,
>>>
>>> are you sure it was really a full recon? :-) E.g. wasn't that a dry run
>>> in your case?
>>>
>>> In my case, I have a testing OpenDJ LDAP server, a local PostgreSQL
>>> database, and a full recon takes approximately 80 milliseconds per user:
>>>
>>> Finished resource part of object:...(Localhost OpenDJ) reconciliation:
>>> Processed 1004 account(s), got 0 error(s) Average time for one object:
>>> 66.80677 ms (*wall clock time average: 77.61056 ms*).
>>>
>>> Yours 27 minutes = 40,5 milliseconds per user seems to be quite
>>> impressive :)
>>>
>>> Best regards,
>>> Pavol
>>>
>>>   I did a reconcile already from that last time I figured out how to do
>>> it from one of the previous discussions. I just didn't know if it were a
>>> standard to do a daily recon on a resource.
>>>
>>>  It took 27 minutes to do a full Recon, I only have 6 attributes which
>>> 3 are outbound and 3 is both in/out. Name, Last, Phone, Email, Department,
>>> Profile (extension). This is a VMware VM on my workstation also, so
>>> surprisingly fast because the virtual disk is on the same disk as 10 other
>>> running VMs.
>>>
>>>  I have almost 6 different resources now, various types, 2 of which are
>>> this type where the resource already has the accounts.
>>>
>>>  I also upgraded to 3.1 Snapshot, just so I am creating all the objects
>>> on the latest version.
>>>
>>>
>>>
>>> On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> 40.000 accounts is not an issue itself. Just be adwised that
>>>> performance strongly depends not only the number of users, but also on
>>>> configuration of mappings, logging, tracing etc. In other words, linking
>>>> the account is one thing, provisioning changes during the recon takes more
>>>> time.
>>>>
>>>> Anyway we appreciate any information about the performance in your case
>>>> when it's finished.
>>>>
>>>> And don't forget to run the dry-run recon first to be sure about your
>>>> correlation rules.
>>>>
>>>> Thanks,
>>>> Ivan
>>>>
>>>>
>>>> On 12/08/2014 06:45 PM, Jason Everling wrote:
>>>>
>>>> Ok thanks, that is what I figured so I just wanted to make sure that
>>>> was the case. I am going to remove that configuration, it should never
>>>> create anyways, users will always be listed on that resource first way
>>>> before midpoint would ever even create the midpoint user account.
>>>>
>>>>  I could also just leave that and run Reconcile on the resource
>>>> nightly, it has 40,000 objects, that should not be an issue right?
>>>>
>>>>  JASON
>>>>
>>>> On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> as the error states, and based on what you've written earlier about
>>>>> disabling creates, it's because the create capability is disabled
>>>>> (deliberately). midPoint tries to create (add) account and the decision
>>>>> that it should be converted to an update comes just after the collision is
>>>>> detected.
>>>>>
>>>>> I.
>>>>>
>>>>>
>>>>> On 12/08/2014 06:26 PM, Jason Everling wrote:
>>>>>
>>>>> I figured that this was the case and I read on the wiki..
>>>>>
>>>>> "Technically, when midPoint user is assigned a role that should
>>>>> provision account on target system and the account already exists (= can be
>>>>> correlated), it will be updated. But the decision is made upon the
>>>>> provisioning request."
>>>>>
>>>>>  But it does not work, it errors out. Maybe because my resource has
>>>>> create and delete disabled? Midpoint will never create or delete accounts
>>>>> in this resource.
>>>>>
>>>>>   <cap:create>
>>>>>                     <cap:enabled>false</cap:enabled>
>>>>>                 </cap:create>
>>>>>                 <cap:delete>
>>>>>  <cap:enabled>false</cap:enabled>
>>>>>                 </cap:delete>
>>>>>
>>>>>  Starting error,
>>>>>
>>>>>  com.evolveum.midpoint.util.exception.SystemException:
>>>>> com.evolveum.midpoint.util.exception.SystemException:
>>>>> java.lang.UnsupportedOperationException: Resource does not support 'create'
>>>>> operation
>>>>>
>>>>>  This is when I have a role that has an inducement for this resource
>>>>> which I would have thought would just link since it already exists, the
>>>>> correlation is employeeNumber like all of my other resources.
>>>>>
>>>>>  JASON
>>>>>
>>>>> On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>>  Hi Jason,
>>>>>>
>>>>>> in general, the deployment is as follows:
>>>>>>
>>>>>> 1. import/reconcile from source system(s) to create identities
>>>>>> (users) in midPoint. This may also create additional accounts in other
>>>>>> systems (i.e. that were not provisioned before).
>>>>>> 2. create reconciliation tasks for all other systems, where the
>>>>>> accounts already exists and should be linked to midpoint identities.
>>>>>>
>>>>>> Based on the mappings in your resources, the reconciliations may
>>>>>> modify the data on the reconciled resources (outbound mappings).
>>>>>>
>>>>>> Technically, when midPoint user is assigned a role that should
>>>>>> provision account on target system and the account already exists (= can be
>>>>>> correlated), it will be updated. But the decision is made upon the
>>>>>> provisioning request.
>>>>>>
>>>>>> So I'd recommend to setup the reconciliation tasks, and start them
>>>>>> first with the "dry-run" flag to see how many accounts can be correlated to
>>>>>> midPoint users.
>>>>>>
>>>>>> Regards,
>>>>>> Ivan
>>>>>>
>>>>>>
>>>>>> On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>>>>
>>>>>>  So here is the scenario,
>>>>>>
>>>>>>  There is a DBTable resource that already has all the accounts,
>>>>>> midpoint will not create or delete from this resource.
>>>>>>
>>>>>>  The user does not exist yet in Midpoint, The users are created in
>>>>>> midpoint using another DBTable resource.
>>>>>>
>>>>>>  How can I link the newly created user in Midpoint to their account
>>>>>> in the other resource,
>>>>>>
>>>>>>  I can do this by running a reconcile task on the resource but is
>>>>>> there any other way to link users to accounts on other resources since they
>>>>>> already exist without having to run reconcile on the resource everytime?
>>>>>>
>>>>>>  Thanks,
>>>>>> JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>> --
>>>>>>   Ing. Ivan Noris
>>>>>>   Senior Identity Management Engineer
>>>>>>   evolveum.com     evolveum.com/blog/
>>>>>>   _____________________________________________
>>>>>>   "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com     evolveum.com/blog/
>>>>>   _____________________________________________
>>>>>   "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141208/fc533542/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec  9 08:52:31 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 09 Dec 2014 08:52:31 +0100
Subject: [midPoint] Link User during New User Creation
In-Reply-To: <CAFkZXY4nJhkAf39u=qVMm-YvxQ+KVw=HtjstLsysDnEieBiUqw@mail.gmail.com>
References: <CAFkZXY4n-q_cygB607aunnnPCJD0gB5=5yF3-5FvRZW5JqyDGg@mail.gmail.com>
 <5485D737.2030604@evolveum.com>
 <CAFkZXY65RcJnBsbtdC7LxyhRoQb4MnXtDDFFcFeWdX-kq_vsJQ@mail.gmail.com>
 <5485E2F1.30307@evolveum.com>
 <CAFkZXY4rkuMRjd1x6HBFAdme-oWrqW+cNKuHWvbRHutURp_=yA@mail.gmail.com>
 <5485FB90.1000104@evolveum.com>
 <CAFkZXY70+SLKBL-HF4aKE=HFjBYNYBoBK5nog0gGtheWhC8uYA@mail.gmail.com>
 <54861043.1010907@evolveum.com>
 <CAFkZXY6feX3SmB9Qg4ZtbP8ec9bhehD2YmrQ4-p1yG1OjN07Zg@mail.gmail.com>
 <54861BDB.4080409@evolveum.com>
 <CAFkZXY5a0pEMLB-Bi2YkBSU6fyBKb919XAV0PUFfff5=WyE-mw@mail.gmail.com>
 <CAFkZXY4nJhkAf39u=qVMm-YvxQ+KVw=HtjstLsysDnEieBiUqw@mail.gmail.com>
Message-ID: <5486AA3F.6090309@evolveum.com>

No problem, as the reconciliation results answered most of them.

Unmatched and Linked are the only expected situations for your case.

I.

On 12/08/2014 10:55 PM, Jason Everling wrote:
> I missed a few of your other questions, the reactions are to only
> match, unlink, or link.
>
> JASON
>
> On Mon, Dec 8, 2014 at 3:53 PM, Jason Everling <jeverling at bshp.edu
> <mailto:jeverling at bshp.edu>> wrote:
>
>     Correct! Now when this is actually in production it should change
>     to about 1000 from 20, we normally have about 1000 active
>     students/faculty/staff every semester. The initial deployment I do
>     not plan on importing all accounts, some are from many many years
>     ago. That what all the sync conditions were for,
>
>     Linked 	19 	Unmatched 	14266
>
>     Disputed 	0 	Unlinked 	0 	Nothing 	0
>
>
>     On Mon, Dec 8, 2014 at 3:44 PM, Ivan Noris
>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
>         Jason,
>
>         what actions took place for the reconciliation? I.e. what
>         situations were configured to to apply what reaction?
>
>         If you were only linking (unlinked->linkAccount), not creating
>         new users in midPoint, I guess only about 20 users were linked
>         and the rest of the accounts were just searched and skipped
>         after correlation expression has been applied.
>
>         The recon results can be displayed by clicking Configuration -
>         Shadow Details and selecting the resource, kind and intent. In
>         your case, kind="account" and intent is almost for sure
>         "default". You will see the numbers/statistics of the accounts
>         there.
>
>         I'd expect about 20 linked and the rest unmatched.
>
>         Regards,
>         I.
>
>
>         On 12/08/2014 10:32 PM, Jason Everling wrote:
>>         Yeah, I just did another database, our collaboration
>>         application, this one had almost 15000 records, now I am not
>>         sure if when Midpoint also has a lot of accounts, my testing
>>         environment only has about 20 users. Took about 9 minutes, I
>>         am pretty sure it is a full recon, I am clicking new task,
>>         selecting the resource and then running it,
>>
>>         Task run last started 	Monday, 8. Dec 2014 14:53:57
>>         Task run last finished 	Monday, 8. Dec 2014 15:02:58
>>
>>
>>         1000000000000042505
>>         	
>>         com.evolveum.midpoint.common.operation.reconciliation.ResourceReconciliation
>>         	
>>         SUCCESS
>>         	
>>         Processed 14283 account(s), got 0 error(s)
>>
>>
>>         On Mon, Dec 8, 2014 at 2:55 PM, Pavol Mederly
>>         <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>
>>             Jason,
>>
>>             are you sure it was really a full recon? :-) E.g. wasn't
>>             that a dry run in your case?
>>
>>             In my case, I have a testing OpenDJ LDAP server, a local
>>             PostgreSQL database, and a full recon takes approximately
>>             80 milliseconds per user:
>>
>>             Finished resource part of object:...(Localhost OpenDJ)
>>             reconciliation: Processed 1004 account(s), got 0 error(s)
>>             Average time for one object: 66.80677 ms (*wall clock
>>             time average: 77.61056 ms*).
>>
>>             Yours 27 minutes = 40,5 milliseconds per user seems to be
>>             quite impressive :)
>>
>>             Best regards,
>>             Pavol
>>
>>>             I did a reconcile already from that last time I figured
>>>             out how to do it from one of the previous discussions. I
>>>             just didn't know if it were a standard to do a daily
>>>             recon on a resource.
>>>
>>>             It took 27 minutes to do a full Recon, I only have 6
>>>             attributes which 3 are outbound and 3 is both in/out.
>>>             Name, Last, Phone, Email, Department, Profile
>>>             (extension). This is a VMware VM on my workstation also,
>>>             so surprisingly fast because the virtual disk is on the
>>>             same disk as 10 other running VMs.
>>>
>>>             I have almost 6 different resources now, various types,
>>>             2 of which are this type where the resource already has
>>>             the accounts.
>>>
>>>             I also upgraded to 3.1 Snapshot, just so I am creating
>>>             all the objects on the latest version.
>>>
>>>              
>>>
>>>             On Mon, Dec 8, 2014 at 1:27 PM, Ivan Noris
>>>             <ivan.noris at evolveum.com
>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>                 Hi Jason,
>>>
>>>                 40.000 accounts is not an issue itself. Just be
>>>                 adwised that performance strongly depends not only
>>>                 the number of users, but also on configuration of
>>>                 mappings, logging, tracing etc. In other words,
>>>                 linking the account is one thing, provisioning
>>>                 changes during the recon takes more time.
>>>
>>>                 Anyway we appreciate any information about the
>>>                 performance in your case when it's finished.
>>>
>>>                 And don't forget to run the dry-run recon first to
>>>                 be sure about your correlation rules.
>>>
>>>                 Thanks,
>>>                 Ivan
>>>
>>>
>>>                 On 12/08/2014 06:45 PM, Jason Everling wrote:
>>>>                 Ok thanks, that is what I figured so I just wanted
>>>>                 to make sure that was the case. I am going to
>>>>                 remove that configuration, it should never create
>>>>                 anyways, users will always be listed on that
>>>>                 resource first way before midpoint would ever even
>>>>                 create the midpoint user account.
>>>>
>>>>                 I could also just leave that and run Reconcile on
>>>>                 the resource nightly, it has 40,000 objects, that
>>>>                 should not be an issue right?
>>>>
>>>>                 JASON
>>>>
>>>>                 On Mon, Dec 8, 2014 at 11:42 AM, Ivan Noris
>>>>                 <ivan.noris at evolveum.com
>>>>                 <mailto:ivan.noris at evolveum.com>> wrote:
>>>>
>>>>                     Hi Jason,
>>>>
>>>>                     as the error states, and based on what you've
>>>>                     written earlier about disabling creates, it's
>>>>                     because the create capability is disabled
>>>>                     (deliberately). midPoint tries to create (add)
>>>>                     account and the decision that it should be
>>>>                     converted to an update comes just after the
>>>>                     collision is detected.
>>>>
>>>>                     I.
>>>>
>>>>
>>>>                     On 12/08/2014 06:26 PM, Jason Everling wrote:
>>>>>                     I figured that this was the case and I read on
>>>>>                     the wiki..
>>>>>
>>>>>                     "Technically, when midPoint user is assigned a
>>>>>                     role that should provision account on target
>>>>>                     system and the account already exists (= can
>>>>>                     be correlated), it will be updated. But the
>>>>>                     decision is made upon the provisioning request."
>>>>>
>>>>>                     But it does not work, it errors out. Maybe
>>>>>                     because my resource has create and delete
>>>>>                     disabled? Midpoint will never create or delete
>>>>>                     accounts in this resource.
>>>>>
>>>>>                     <cap:create>
>>>>>                                        
>>>>>                     <cap:enabled>false</cap:enabled>
>>>>>                                     </cap:create>
>>>>>                                     <cap:delete>
>>>>>                     <cap:enabled>false</cap:enabled>
>>>>>                                     </cap:delete>
>>>>>
>>>>>                     Starting error,
>>>>>
>>>>>                     com.evolveum.midpoint.util.exception.SystemException:
>>>>>                     com.evolveum.midpoint.util.exception.SystemException:
>>>>>                     java.lang.UnsupportedOperationException:
>>>>>                     Resource does not support 'create' operation
>>>>>
>>>>>                     This is when I have a role that has an
>>>>>                     inducement for this resource which I would
>>>>>                     have thought would just link since it already
>>>>>                     exists, the correlation is employeeNumber like
>>>>>                     all of my other resources.
>>>>>
>>>>>                     JASON
>>>>>
>>>>>                     On Mon, Dec 8, 2014 at 10:52 AM, Ivan Noris
>>>>>                     <ivan.noris at evolveum.com
>>>>>                     <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>
>>>>>                         Hi Jason,
>>>>>
>>>>>                         in general, the deployment is as follows:
>>>>>
>>>>>                         1. import/reconcile from source system(s)
>>>>>                         to create identities (users) in midPoint.
>>>>>                         This may also create additional accounts
>>>>>                         in other systems (i.e. that were not
>>>>>                         provisioned before).
>>>>>                         2. create reconciliation tasks for all
>>>>>                         other systems, where the accounts already
>>>>>                         exists and should be linked to midpoint
>>>>>                         identities.
>>>>>
>>>>>                         Based on the mappings in your resources,
>>>>>                         the reconciliations may modify the data on
>>>>>                         the reconciled resources (outbound mappings).
>>>>>
>>>>>                         Technically, when midPoint user is
>>>>>                         assigned a role that should provision
>>>>>                         account on target system and the account
>>>>>                         already exists (= can be correlated), it
>>>>>                         will be updated. But the decision is made
>>>>>                         upon the provisioning request.
>>>>>
>>>>>                         So I'd recommend to setup the
>>>>>                         reconciliation tasks, and start them first
>>>>>                         with the "dry-run" flag to see how many
>>>>>                         accounts can be correlated to midPoint users.
>>>>>
>>>>>                         Regards,
>>>>>                         Ivan
>>>>>
>>>>>
>>>>>                         On 12/08/2014 04:51 PM, Jason Everling wrote:
>>>>>>                         So here is the scenario,
>>>>>>
>>>>>>                         There is a DBTable resource that already
>>>>>>                         has all the accounts, midpoint will not
>>>>>>                         create or delete from this resource.
>>>>>>
>>>>>>                         The user does not exist yet in Midpoint,
>>>>>>                         The users are created in midpoint using
>>>>>>                         another DBTable resource.
>>>>>>
>>>>>>                         How can I link the newly created user in
>>>>>>                         Midpoint to their account in the other
>>>>>>                         resource,
>>>>>>
>>>>>>                         I can do this by running a reconcile task
>>>>>>                         on the resource but is there any other
>>>>>>                         way to link users to accounts on other
>>>>>>                         resources since they already exist
>>>>>>                         without having to run reconcile on the
>>>>>>                         resource everytime?
>>>>>>
>>>>>>                         Thanks,
>>>>>>                         JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>>                         CONFIDENTIALITY NOTICE:
>>>>>>                         This e-mail together with any attachments
>>>>>>                         is proprietary and confidential; intended
>>>>>>                         for only the recipient(s) named above and
>>>>>>                         may contain information that is
>>>>>>                         privileged. You should not retain, copy
>>>>>>                         or use this e-mail or any attachments for
>>>>>>                         any purpose, or disclose all or any part
>>>>>>                         of the contents to any person. Any views
>>>>>>                         or opinions expressed in this e-mail are
>>>>>>                         those of the author and do not represent
>>>>>>                         those of the Baptist School of Health
>>>>>>                         Professions. If you have received this
>>>>>>                         e-mail in error, or are not the named
>>>>>>                         recipient(s), you are hereby notified
>>>>>>                         that any review, dissemination,
>>>>>>                         distribution or copying of this
>>>>>>                         communication is prohibited by the sender
>>>>>>                         and to do so might constitute a violation
>>>>>>                         of the Electronic Communications Privacy
>>>>>>                         Act, 18 U.S.C. section 2510-2521. Please
>>>>>>                         immediately notify the sender and delete
>>>>>>                         this e-mail and any attachments from your
>>>>>>                         computer.
>>>>>>
>>>>>>
>>>>>>                         _______________________________________________
>>>>>>                         midPoint mailing list
>>>>>>                         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>>                         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>                         -- 
>>>>>                           Ing. Ivan Noris
>>>>>                           Senior Identity Management Engineer
>>>>>                           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>                           _____________________________________________
>>>>>                           "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>>                         _______________________________________________
>>>>>                         midPoint mailing list
>>>>>                         midPoint at lists.evolveum.com
>>>>>                         <mailto:midPoint at lists.evolveum.com>
>>>>>                         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                     CONFIDENTIALITY NOTICE:
>>>>>                     This e-mail together with any attachments is
>>>>>                     proprietary and confidential; intended for
>>>>>                     only the recipient(s) named above and may
>>>>>                     contain information that is privileged. You
>>>>>                     should not retain, copy or use this e-mail or
>>>>>                     any attachments for any purpose, or disclose
>>>>>                     all or any part of the contents to any person.
>>>>>                     Any views or opinions expressed in this e-mail
>>>>>                     are those of the author and do not represent
>>>>>                     those of the Baptist School of Health
>>>>>                     Professions. If you have received this e-mail
>>>>>                     in error, or are not the named recipient(s),
>>>>>                     you are hereby notified that any review,
>>>>>                     dissemination, distribution or copying of this
>>>>>                     communication is prohibited by the sender and
>>>>>                     to do so might constitute a violation of the
>>>>>                     Electronic Communications Privacy Act, 18
>>>>>                     U.S.C. section 2510-2521. Please immediately
>>>>>                     notify the sender and delete this e-mail and
>>>>>                     any attachments from your computer.
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     midPoint mailing list
>>>>>                     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>                     -- 
>>>>                       Ing. Ivan Noris
>>>>                       Senior Identity Management Engineer
>>>>                       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>                       _____________________________________________
>>>>                       "Semper Id(e)M Vix."
>>>>
>>>>
>>>>                     _______________________________________________
>>>>                     midPoint mailing list
>>>>                     midPoint at lists.evolveum.com
>>>>                     <mailto:midPoint at lists.evolveum.com>
>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>                 CONFIDENTIALITY NOTICE:
>>>>                 This e-mail together with any attachments is
>>>>                 proprietary and confidential; intended for only the
>>>>                 recipient(s) named above and may contain
>>>>                 information that is privileged. You should not
>>>>                 retain, copy or use this e-mail or any attachments
>>>>                 for any purpose, or disclose all or any part of the
>>>>                 contents to any person. Any views or opinions
>>>>                 expressed in this e-mail are those of the author
>>>>                 and do not represent those of the Baptist School of
>>>>                 Health Professions. If you have received this
>>>>                 e-mail in error, or are not the named recipient(s),
>>>>                 you are hereby notified that any review,
>>>>                 dissemination, distribution or copying of this
>>>>                 communication is prohibited by the sender and to do
>>>>                 so might constitute a violation of the Electronic
>>>>                 Communications Privacy Act, 18 U.S.C. section
>>>>                 2510-2521. Please immediately notify the sender and
>>>>                 delete this e-mail and any attachments from your
>>>>                 computer.
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>                 -- 
>>>                   Ing. Ivan Noris
>>>                   Senior Identity Management Engineer
>>>                   evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>                   _____________________________________________
>>>                   "Semper Id(e)M Vix."
>>>
>>>
>>>                 _______________________________________________
>>>                 midPoint mailing list
>>>                 midPoint at lists.evolveum.com
>>>                 <mailto:midPoint at lists.evolveum.com>
>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>             CONFIDENTIALITY NOTICE:
>>>             This e-mail together with any attachments is proprietary
>>>             and confidential; intended for only the recipient(s)
>>>             named above and may contain information that is
>>>             privileged. You should not retain, copy or use this
>>>             e-mail or any attachments for any purpose, or disclose
>>>             all or any part of the contents to any person. Any views
>>>             or opinions expressed in this e-mail are those of the
>>>             author and do not represent those of the Baptist School
>>>             of Health Professions. If you have received this e-mail
>>>             in error, or are not the named recipient(s), you are
>>>             hereby notified that any review, dissemination,
>>>             distribution or copying of this communication is
>>>             prohibited by the sender and to do so might constitute a
>>>             violation of the Electronic Communications Privacy Act,
>>>             18 U.S.C. section 2510-2521. Please immediately notify
>>>             the sender and delete this e-mail and any attachments
>>>             from your computer.
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>         CONFIDENTIALITY NOTICE:
>>         This e-mail together with any attachments is proprietary and
>>         confidential; intended for only the recipient(s) named above
>>         and may contain information that is privileged. You should
>>         not retain, copy or use this e-mail or any attachments for
>>         any purpose, or disclose all or any part of the contents to
>>         any person. Any views or opinions expressed in this e-mail
>>         are those of the author and do not represent those of the
>>         Baptist School of Health Professions. If you have received
>>         this e-mail in error, or are not the named recipient(s), you
>>         are hereby notified that any review, dissemination,
>>         distribution or copying of this communication is prohibited
>>         by the sender and to do so might constitute a violation of
>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>         2510-2521. Please immediately notify the sender and delete
>>         this e-mail and any attachments from your computer.
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>         -- 
>           Ing. Ivan Noris
>           Senior Identity Management Engineer
>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>           _____________________________________________
>           "Semper Id(e)M Vix."
>
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141209/c9ed0dab/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 16:32:51 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 09:32:51 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
Message-ID: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>

Since I upgraded to 3.1 and I am not sure if this is related to the other
CSV Resource issue.

Here is the mapping for the template, it worked fine in 3.0.1 so I do not
know if anything changed, the email address is built using name + '@
domain.com' but when the user is created I get null at domain.com, like it is
not picking up the username from the first mapping

    <mapping>
        <name>Generate Username for CSV</name>
        <source>
            <name>tmpGivenName</name>
            <path>givenName</path>
        </source>
        <source>
            <name>tmpFamilyName</name>
            <path>familyName</path>
        </source>
        <!-- Will generate username in the filastname format with iterator,
              filastname
              filastname2
        -->
        <expression>
            <script>
                <code>
                    tmpGivenNameInitial =
basic.stringify(tmpGivenName)?.size() &gt; 0 ?
                    (basic.stringify(tmpGivenName)).substring(0,2) : ''
                    if (iteration == 0) {
                    basic.norm(basic.stringify(tmpGivenNameInitial +
tmpFamilyName))
                    }
                    else {
                    basic.norm(basic.stringify(tmpGivenNameInitial +
tmpFamilyName)) + iterationToken
                    }
                </code>
            </script>
        </expression>
        <target>
            <path>name</path>
        </target>
    </mapping>

    <iteration>
        <maxIterations>25</maxIterations>
        <tokenExpression>
            <script>
                <code>
                    if (iteration == 0) {
                    return "";
                    } else {
                    return "" + (iteration+1)
                    }
                </code>
            </script>
        </tokenExpression>
    </iteration>

    <mapping>
        <source>
            <path>$user/name</path>
        </source>
        <expression>
            <script>
                <language>
http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
</language>
                <code>name + '@domain.com'</code>
            </script>
        </expression>
        <target>
            <path>emailAddress</path>
        </target>
    </mapping>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/0d5fde69/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec 10 16:46:00 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 10 Dec 2014 16:46:00 +0100
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
Message-ID: <54886AB8.4080408@evolveum.com>

Jason,

I believe I have seen this couple of weeks ago when debugging the
iterator problem... seems that I've forgotten about this.

But as far I can remember, it has worked when the mapping was in global
system template instead of the resource-referenced.

If you can temporarily disable using of the template in resource and set
the same template in System Configuration for UserType objects, can you
please test the behaviour?

Anyway it seems to be a bug, so after you could confirm the behaviour,
I'd create a new issue.

Thanks,
I.

On 12/10/2014 04:32 PM, Jason Everling wrote:
> Since I upgraded to 3.1 and I am not sure if this is related to the
> other CSV Resource issue.
>
> Here is the mapping for the template, it worked fine in 3.0.1 so I do
> not know if anything changed, the email address is built using name +
> '@domain.com <http://domain.com>' but when the user is created I get
> null at domain.com <mailto:null at domain.com>, like it is not picking up
> the username from the first mapping
>
>     <mapping>
>         <name>Generate Username for CSV</name>
>         <source>
>             <name>tmpGivenName</name>
>             <path>givenName</path>
>         </source>
>         <source>
>             <name>tmpFamilyName</name>
>             <path>familyName</path>
>         </source>
>         <!-- Will generate username in the filastname format with
> iterator,
>               filastname
>               filastname2
>         -->
>         <expression>
>             <script>
>                 <code>
>                     tmpGivenNameInitial =
> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>                     if (iteration == 0) {
>                     basic.norm(basic.stringify(tmpGivenNameInitial +
> tmpFamilyName))
>                     }
>                     else {
>                     basic.norm(basic.stringify(tmpGivenNameInitial +
> tmpFamilyName)) + iterationToken
>                     }
>                 </code>
>             </script>
>         </expression>
>         <target>
>             <path>name</path>
>         </target>
>     </mapping>
>
>     <iteration>
>         <maxIterations>25</maxIterations>
>         <tokenExpression>
>             <script>
>                 <code>
>                     if (iteration == 0) {
>                     return "";
>                     } else {
>                     return "" + (iteration+1)
>                     }
>                 </code>
>             </script>
>         </tokenExpression>
>     </iteration>
>
>     <mapping>
>         <source>
>             <path>$user/name</path>
>         </source>
>         <expression>
>             <script>
>                
> <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>                 <code>name + '@domain.com <http://domain.com>'</code>
>             </script>
>         </expression>
>         <target>
>             <path>emailAddress</path>
>         </target>
>     </mapping>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/d20d2efa/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 17:13:32 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 10:13:32 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <54886AB8.4080408@evolveum.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
Message-ID: <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>

So I disabled or removed that template from the resource reactions, I set
it as the default template is sysconfig.

It still does it,    <emailAddress>null at domain.com</emailAddress> seems to
be affected,

Wierd though, I turned on debugging,

It shows the attribute being created correctly, you can see from the log
but in the gui and in the user xml it is null at domain.com

ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
  user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
      extension:
          otherMailbox: [ hhernandez at local.org ]
          eduPersonAffiliation: [ student ]
      givenName: Herman
      familyName: Hernandes
      costCenter: PN
      employeeNumber: HE5019982
      credentials:
          password:
              value:
ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
http://www.w3.org/2001/04/xmlenc#aes128-cbc),
keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
cipherData=CipherDataType(cipherValue=[32 bytes])))
      activation:
          administrativeStatus: ENABLED
          effectiveStatus: ENABLED
          enableTimestamp: 2014-12-10T10:07:21.502-06:00
      emailAddress: hehernandes at domain.com
      name: hehernandes
      employeeType: [ A2S ]
      locale: US
      organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
      locality: San Antonio
      fullName: Herman Hernandes
      iteration: 0

On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> I believe I have seen this couple of weeks ago when debugging the iterator
> problem... seems that I've forgotten about this.
>
> But as far I can remember, it has worked when the mapping was in global
> system template instead of the resource-referenced.
>
> If you can temporarily disable using of the template in resource and set
> the same template in System Configuration for UserType objects, can you
> please test the behaviour?
>
> Anyway it seems to be a bug, so after you could confirm the behaviour, I'd
> create a new issue.
>
> Thanks,
> I.
>
>
> On 12/10/2014 04:32 PM, Jason Everling wrote:
>
> Since I upgraded to 3.1 and I am not sure if this is related to the other
> CSV Resource issue.
>
>  Here is the mapping for the template, it worked fine in 3.0.1 so I do
> not know if anything changed, the email address is built using name + '@
> domain.com' but when the user is created I get null at domain.com, like it
> is not picking up the username from the first mapping
>
>      <mapping>
>         <name>Generate Username for CSV</name>
>         <source>
>             <name>tmpGivenName</name>
>             <path>givenName</path>
>         </source>
>         <source>
>             <name>tmpFamilyName</name>
>             <path>familyName</path>
>         </source>
>         <!-- Will generate username in the filastname format with iterator,
>               filastname
>               filastname2
>         -->
>         <expression>
>             <script>
>                 <code>
>                     tmpGivenNameInitial =
> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>                     if (iteration == 0) {
>                     basic.norm(basic.stringify(tmpGivenNameInitial +
> tmpFamilyName))
>                     }
>                     else {
>                     basic.norm(basic.stringify(tmpGivenNameInitial +
> tmpFamilyName)) + iterationToken
>                     }
>                 </code>
>             </script>
>         </expression>
>         <target>
>             <path>name</path>
>         </target>
>     </mapping>
>
>      <iteration>
>         <maxIterations>25</maxIterations>
>         <tokenExpression>
>             <script>
>                 <code>
>                     if (iteration == 0) {
>                     return "";
>                     } else {
>                     return "" + (iteration+1)
>                     }
>                 </code>
>             </script>
>         </tokenExpression>
>     </iteration>
>
>      <mapping>
>         <source>
>             <path>$user/name</path>
>         </source>
>         <expression>
>             <script>
>                 <language>
> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
> </language>
>                 <code>name + '@domain.com'</code>
>             </script>
>         </expression>
>         <target>
>             <path>emailAddress</path>
>         </target>
>     </mapping>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/40ae23a9/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 17:27:44 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 10:27:44 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
Message-ID: <CAFkZXY4ZN9LJsLxq5--i00S=ZKyuNuMPk0yNeEkHo8HFZ3+VCw@mail.gmail.com>

Almost toward the end of the log part, I see this

---[ EXECUTED delta of UserType ]---------------------
Channel:
http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
Wave: 1
ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,MODIFY):
  emailAddress
    REPLACE: null at domain.com

On Wed, Dec 10, 2014 at 10:13 AM, Jason Everling <jeverling at bshp.edu> wrote:

> So I disabled or removed that template from the resource reactions, I set
> it as the default template is sysconfig.
>
> It still does it,    <emailAddress>null at domain.com</emailAddress> seems
> to be affected,
>
> Wierd though, I turned on debugging,
>
> It shows the attribute being created correctly, you can see from the log
> but in the gui and in the user xml it is null at domain.com
>
> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>       extension:
>           otherMailbox: [ hhernandez at local.org ]
>           eduPersonAffiliation: [ student ]
>       givenName: Herman
>       familyName: Hernandes
>       costCenter: PN
>       employeeNumber: HE5019982
>       credentials:
>           password:
>               value:
> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
> cipherData=CipherDataType(cipherValue=[32 bytes])))
>       activation:
>           administrativeStatus: ENABLED
>           effectiveStatus: ENABLED
>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>       emailAddress: hehernandes at domain.com
>       name: hehernandes
>       employeeType: [ A2S ]
>       locale: US
>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>       locality: San Antonio
>       fullName: Herman Hernandes
>       iteration: 0
>
> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason,
>>
>> I believe I have seen this couple of weeks ago when debugging the
>> iterator problem... seems that I've forgotten about this.
>>
>> But as far I can remember, it has worked when the mapping was in global
>> system template instead of the resource-referenced.
>>
>> If you can temporarily disable using of the template in resource and set
>> the same template in System Configuration for UserType objects, can you
>> please test the behaviour?
>>
>> Anyway it seems to be a bug, so after you could confirm the behaviour,
>> I'd create a new issue.
>>
>> Thanks,
>> I.
>>
>>
>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>
>> Since I upgraded to 3.1 and I am not sure if this is related to the other
>> CSV Resource issue.
>>
>>  Here is the mapping for the template, it worked fine in 3.0.1 so I do
>> not know if anything changed, the email address is built using name + '@
>> domain.com' but when the user is created I get null at domain.com, like it
>> is not picking up the username from the first mapping
>>
>>      <mapping>
>>         <name>Generate Username for CSV</name>
>>         <source>
>>             <name>tmpGivenName</name>
>>             <path>givenName</path>
>>         </source>
>>         <source>
>>             <name>tmpFamilyName</name>
>>             <path>familyName</path>
>>         </source>
>>         <!-- Will generate username in the filastname format with
>> iterator,
>>               filastname
>>               filastname2
>>         -->
>>         <expression>
>>             <script>
>>                 <code>
>>                     tmpGivenNameInitial =
>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>                     if (iteration == 0) {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName))
>>                     }
>>                     else {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName)) + iterationToken
>>                     }
>>                 </code>
>>             </script>
>>         </expression>
>>         <target>
>>             <path>name</path>
>>         </target>
>>     </mapping>
>>
>>      <iteration>
>>         <maxIterations>25</maxIterations>
>>         <tokenExpression>
>>             <script>
>>                 <code>
>>                     if (iteration == 0) {
>>                     return "";
>>                     } else {
>>                     return "" + (iteration+1)
>>                     }
>>                 </code>
>>             </script>
>>         </tokenExpression>
>>     </iteration>
>>
>>      <mapping>
>>         <source>
>>             <path>$user/name</path>
>>         </source>
>>         <expression>
>>             <script>
>>                 <language>
>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>> </language>
>>                 <code>name + '@domain.com'</code>
>>             </script>
>>         </expression>
>>         <target>
>>             <path>emailAddress</path>
>>         </target>
>>     </mapping>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/7f6814fa/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec 10 20:18:21 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 10 Dec 2014 20:18:21 +0100
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
Message-ID: <54889C7D.3030001@evolveum.com>

Hi Jason,

this is interesting: it seems to work:

Right now I have resource with object template reference in unmatched
action:
. . .
      <reaction>
            <situation>unmatched</situation>
            <objectTemplateRef oid="10000000-0000-0000-1111-000000000203"/>
            <action
ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"/>
         </reaction>
. . .

The template:
<objectTemplate
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                oid="10000000-0000-0000-1111-000000000203"
                version="2">
   <name>Default User Template (VIX)</name>
   <iteration>
      <maxIterations>999</maxIterations>
      <tokenExpression>
         <script>
            <code>
                            if (iteration == 0) {
                            return "";
                            } else {
                            return "" + (iteration+1)
                            }
                        </code>
         </script>
      </tokenExpression>
   </iteration>
   <mapping>
      <name>Generate Username</name>
      <source>
         <name>tmpGivenName</name>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">givenName</c:path>
      </source>
      <source>
         <name>tmpFamilyName</name>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">familyName</c:path>
      </source>
      <expression>
         <script>
            <code>
                    tmpGivenNameInitial =
basic.stringify(tmpGivenName)?.size() &gt; 0 ?
(basic.stringify(tmpGivenName)).substring(0,2) : ''
                    if (iteration == 0) {
                    basic.norm(basic.stringify(tmpGivenNameInitial +
tmpFamilyName))
                    }
                    else {
                    basic.norm(basic.stringify(tmpGivenNameInitial +
tmpFamilyName)) + iterationToken
                    }
                </code>
         </script>
      </expression>
      <target>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">name</c:path>
      </target>
   </mapping>
   <mapping>
      <source>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/name</c:path>
      </source>
      <source>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/emailAddress</c:path>
      </source>
      <expression>
         <script>
           
<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
            <code>name+'@bshp.edu'</code>
         </script>
      </expression>
      <target>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">emailAddress</c:path>
      </target>
   </mapping>
</objectTemplate>

The CSV entry:
employeeID,firstname,lastname,otherMailbox,program,organization
"papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"

MidPoint User after sync:
<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="93b18a69-f030-4164-9cef-ef955233b2bc"
      version="1">
   <name>anpapecok4</name>
. . .
   <iteration>3</iteration>
   <iterationToken>4</iterationToken>
   <givenName>Andrej</givenName>
   <familyName>Papecok</familyName>
*   <emailAddress>anpapecok4 at bshp.edu</emailAddress>*
   <employeeNumber>papecok4</employeeNumber>
. . .
</user>

This is midPoint git-v3.0.1devel-704-g0937a70

Can you see any difference with your config...?

Regards,
Ivan

On 12/10/2014 05:13 PM, Jason Everling wrote:
> So I disabled or removed that template from the resource reactions, I
> set it as the default template is sysconfig.
>
> It still does it,    <emailAddress>null at domain.com
> <mailto:null at domain.com></emailAddress> seems to be affected,
>
> Wierd though, I turned on debugging,
>
> It shows the attribute being created correctly, you can see from the
> log but in the gui and in the user xml it is null at domain.com
> <mailto:null at domain.com>
>
> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>       extension: 
>           otherMailbox: [ hhernandez at local.org
> <mailto:hhernandez at local.org> ]
>           eduPersonAffiliation: [ student ]
>       givenName: Herman
>       familyName: Hernandes
>       costCenter: PN
>       employeeNumber: HE5019982
>       credentials: 
>           password: 
>               value:
> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=http://www.w3.org/2001/04/xmlenc#aes128-cbc),
> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
> cipherData=CipherDataType(cipherValue=[32 bytes])))
>       activation: 
>           administrativeStatus: ENABLED
>           effectiveStatus: ENABLED
>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>       emailAddress: hehernandes at domain.com <mailto:hehernandes at domain.com>
>       name: hehernandes
>       employeeType: [ A2S ]
>       locale: US
>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>       locality: San Antonio
>       fullName: Herman Hernandes
>       iteration: 0
>
> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason,
>
>     I believe I have seen this couple of weeks ago when debugging the
>     iterator problem... seems that I've forgotten about this.
>
>     But as far I can remember, it has worked when the mapping was in
>     global system template instead of the resource-referenced.
>
>     If you can temporarily disable using of the template in resource
>     and set the same template in System Configuration for UserType
>     objects, can you please test the behaviour?
>
>     Anyway it seems to be a bug, so after you could confirm the
>     behaviour, I'd create a new issue.
>
>     Thanks,
>     I.
>
>
>     On 12/10/2014 04:32 PM, Jason Everling wrote:
>>     Since I upgraded to 3.1 and I am not sure if this is related to
>>     the other CSV Resource issue.
>>
>>     Here is the mapping for the template, it worked fine in 3.0.1 so
>>     I do not know if anything changed, the email address is built
>>     using name + '@domain.com <http://domain.com>' but when the user
>>     is created I get null at domain.com <mailto:null at domain.com>, like
>>     it is not picking up the username from the first mapping
>>
>>         <mapping>
>>             <name>Generate Username for CSV</name>
>>             <source>
>>                 <name>tmpGivenName</name>
>>                 <path>givenName</path>
>>             </source>
>>             <source>
>>                 <name>tmpFamilyName</name>
>>                 <path>familyName</path>
>>             </source>
>>             <!-- Will generate username in the filastname format with
>>     iterator,
>>                   filastname
>>                   filastname2
>>             -->
>>             <expression>
>>                 <script>
>>                     <code>
>>                         tmpGivenNameInitial =
>>     basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>                        
>>     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>                         if (iteration == 0) {
>>                        
>>     basic.norm(basic.stringify(tmpGivenNameInitial + tmpFamilyName))
>>                         }
>>                         else {
>>                        
>>     basic.norm(basic.stringify(tmpGivenNameInitial + tmpFamilyName))
>>     + iterationToken
>>                         }
>>                     </code>
>>                 </script>
>>             </expression>
>>             <target>
>>                 <path>name</path>
>>             </target>
>>         </mapping>
>>
>>         <iteration>
>>             <maxIterations>25</maxIterations>
>>             <tokenExpression>
>>                 <script>
>>                     <code>
>>                         if (iteration == 0) {
>>                         return "";
>>                         } else {
>>                         return "" + (iteration+1)
>>                         }
>>                     </code>
>>                 </script>
>>             </tokenExpression>
>>         </iteration>
>>
>>         <mapping>
>>             <source>
>>                 <path>$user/name</path>
>>             </source>
>>             <expression>
>>                 <script>
>>                    
>>     <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>>                     <code>name + '@domain.com <http://domain.com>'</code>
>>                 </script>
>>             </expression>
>>             <target>
>>                 <path>emailAddress</path>
>>             </target>
>>         </mapping>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/bf0696db/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 20:25:14 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 13:25:14 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <54889C7D.3030001@evolveum.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
Message-ID: <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>

No not really, looks to be the same,

I attached the template,

The only thing else besides creating the username and email address is that
it assigns the correct Org based on the costCenter attribute which is
mapped to program in my CSV and also assigns a role,



On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> this is interesting: it seems to work:
>
> Right now I have resource with object template reference in unmatched
> action:
> . . .
>       <reaction>
>             <situation>unmatched</situation>
>             <objectTemplateRef oid="10000000-0000-0000-1111-000000000203"/>
>             <action ref=
> "http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>          </reaction>
> . . .
>
> The template:
> <objectTemplate xmlns=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                 oid="10000000-0000-0000-1111-000000000203"
>                 version="2">
>    <name>Default User Template (VIX)</name>
>    <iteration>
>       <maxIterations>999</maxIterations>
>       <tokenExpression>
>          <script>
>             <code>
>                             if (iteration == 0) {
>                             return "";
>                             } else {
>                             return "" + (iteration+1)
>                             }
>                         </code>
>          </script>
>       </tokenExpression>
>    </iteration>
>    <mapping>
>       <name>Generate Username</name>
>       <source>
>          <name>tmpGivenName</name>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >givenName</c:path>
>       </source>
>       <source>
>          <name>tmpFamilyName</name>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >familyName</c:path>
>       </source>
>       <expression>
>          <script>
>             <code>
>                     tmpGivenNameInitial =
> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
> (basic.stringify(tmpGivenName)).substring(0,2) : ''
>                     if (iteration == 0) {
>                     basic.norm(basic.stringify(tmpGivenNameInitial +
> tmpFamilyName))
>                     }
>                     else {
>                     basic.norm(basic.stringify(tmpGivenNameInitial +
> tmpFamilyName)) + iterationToken
>                     }
>                 </code>
>          </script>
>       </expression>
>       <target>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>name</c:path>
>       </target>
>    </mapping>
>    <mapping>
>       <source>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >$user/name</c:path>
>       </source>
>       <source>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >$user/emailAddress</c:path>
>       </source>
>       <expression>
>          <script>
>             <language>
> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
> </language>
>             <code>name+'@bshp.edu'</code>
>          </script>
>       </expression>
>       <target>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >emailAddress</c:path>
>       </target>
>    </mapping>
> </objectTemplate>
>
> The CSV entry:
> employeeID,firstname,lastname,otherMailbox,program,organization
> "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>
> MidPoint User after sync:
> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>       version="1">
>    <name>anpapecok4</name>
> . . .
>    <iteration>3</iteration>
>    <iterationToken>4</iterationToken>
>    <givenName>Andrej</givenName>
>    <familyName>Papecok</familyName>
> *   <emailAddress>anpapecok4 at bshp.edu <anpapecok4 at bshp.edu></emailAddress>*
>    <employeeNumber>papecok4</employeeNumber>
> . . .
> </user>
>
> This is midPoint git-v3.0.1devel-704-g0937a70
>
> Can you see any difference with your config...?
>
> Regards,
> Ivan
>
>
> On 12/10/2014 05:13 PM, Jason Everling wrote:
>
> So I disabled or removed that template from the resource reactions, I set
> it as the default template is sysconfig.
>
>  It still does it,    <emailAddress>null at domain.com</emailAddress> seems
> to be affected,
>
>  Wierd though, I turned on debugging,
>
>  It shows the attribute being created correctly, you can see from the log
> but in the gui and in the user xml it is null at domain.com
>
>  ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>       extension:
>           otherMailbox: [ hhernandez at local.org ]
>           eduPersonAffiliation: [ student ]
>       givenName: Herman
>       familyName: Hernandes
>       costCenter: PN
>       employeeNumber: HE5019982
>       credentials:
>           password:
>               value:
> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
> cipherData=CipherDataType(cipherValue=[32 bytes])))
>       activation:
>           administrativeStatus: ENABLED
>           effectiveStatus: ENABLED
>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>       emailAddress: hehernandes at domain.com
>       name: hehernandes
>       employeeType: [ A2S ]
>       locale: US
>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>       locality: San Antonio
>       fullName: Herman Hernandes
>       iteration: 0
>
> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason,
>>
>> I believe I have seen this couple of weeks ago when debugging the
>> iterator problem... seems that I've forgotten about this.
>>
>> But as far I can remember, it has worked when the mapping was in global
>> system template instead of the resource-referenced.
>>
>> If you can temporarily disable using of the template in resource and set
>> the same template in System Configuration for UserType objects, can you
>> please test the behaviour?
>>
>> Anyway it seems to be a bug, so after you could confirm the behaviour,
>> I'd create a new issue.
>>
>> Thanks,
>> I.
>>
>>
>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>
>>  Since I upgraded to 3.1 and I am not sure if this is related to the
>> other CSV Resource issue.
>>
>>  Here is the mapping for the template, it worked fine in 3.0.1 so I do
>> not know if anything changed, the email address is built using name + '@
>> domain.com' but when the user is created I get null at domain.com, like it
>> is not picking up the username from the first mapping
>>
>>      <mapping>
>>         <name>Generate Username for CSV</name>
>>         <source>
>>             <name>tmpGivenName</name>
>>             <path>givenName</path>
>>         </source>
>>         <source>
>>             <name>tmpFamilyName</name>
>>             <path>familyName</path>
>>         </source>
>>         <!-- Will generate username in the filastname format with
>> iterator,
>>               filastname
>>               filastname2
>>         -->
>>         <expression>
>>             <script>
>>                 <code>
>>                     tmpGivenNameInitial =
>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>                     if (iteration == 0) {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName))
>>                     }
>>                     else {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName)) + iterationToken
>>                     }
>>                 </code>
>>             </script>
>>         </expression>
>>         <target>
>>             <path>name</path>
>>         </target>
>>     </mapping>
>>
>>      <iteration>
>>         <maxIterations>25</maxIterations>
>>         <tokenExpression>
>>             <script>
>>                 <code>
>>                     if (iteration == 0) {
>>                     return "";
>>                     } else {
>>                     return "" + (iteration+1)
>>                     }
>>                 </code>
>>             </script>
>>         </tokenExpression>
>>     </iteration>
>>
>>      <mapping>
>>         <source>
>>             <path>$user/name</path>
>>         </source>
>>         <expression>
>>             <script>
>>                 <language>
>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>> </language>
>>                 <code>name + '@domain.com'</code>
>>             </script>
>>         </expression>
>>         <target>
>>             <path>emailAddress</path>
>>         </target>
>>     </mapping>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/c0b782ce/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CSV_default_user_template.xml
Type: text/xml
Size: 9180 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/c0b782ce/attachment.xml>

From jeverling at bshp.edu  Wed Dec 10 20:27:18 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 13:27:18 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
Message-ID: <CAFkZXY4iFhFwuX0=s0QFPM735O8--hDoHN+4AVW+0KRd=-1u0w@mail.gmail.com>

I am going to remove the condition on the role assignment and see of that
helps, it is not needed because all people coming from the CSV are students
anyways,

JASON

On Wed, Dec 10, 2014 at 1:25 PM, Jason Everling <jeverling at bshp.edu> wrote:

> No not really, looks to be the same,
>
> I attached the template,
>
> The only thing else besides creating the username and email address is
> that it assigns the correct Org based on the costCenter attribute which is
> mapped to program in my CSV and also assigns a role,
>
>
>
> On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> this is interesting: it seems to work:
>>
>> Right now I have resource with object template reference in unmatched
>> action:
>> . . .
>>       <reaction>
>>             <situation>unmatched</situation>
>>             <objectTemplateRef
>> oid="10000000-0000-0000-1111-000000000203"/>
>>             <action ref=
>> "http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>          </reaction>
>> . . .
>>
>> The template:
>> <objectTemplate xmlns=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>                 oid="10000000-0000-0000-1111-000000000203"
>>                 version="2">
>>    <name>Default User Template (VIX)</name>
>>    <iteration>
>>       <maxIterations>999</maxIterations>
>>       <tokenExpression>
>>          <script>
>>             <code>
>>                             if (iteration == 0) {
>>                             return "";
>>                             } else {
>>                             return "" + (iteration+1)
>>                             }
>>                         </code>
>>          </script>
>>       </tokenExpression>
>>    </iteration>
>>    <mapping>
>>       <name>Generate Username</name>
>>       <source>
>>          <name>tmpGivenName</name>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >givenName</c:path>
>>       </source>
>>       <source>
>>          <name>tmpFamilyName</name>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >familyName</c:path>
>>       </source>
>>       <expression>
>>          <script>
>>             <code>
>>                     tmpGivenNameInitial =
>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>> (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>                     if (iteration == 0) {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName))
>>                     }
>>                     else {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName)) + iterationToken
>>                     }
>>                 </code>
>>          </script>
>>       </expression>
>>       <target>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >name</c:path>
>>       </target>
>>    </mapping>
>>    <mapping>
>>       <source>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >$user/name</c:path>
>>       </source>
>>       <source>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >$user/emailAddress</c:path>
>>       </source>
>>       <expression>
>>          <script>
>>             <language>
>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>> </language>
>>             <code>name+'@bshp.edu'</code>
>>          </script>
>>       </expression>
>>       <target>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >emailAddress</c:path>
>>       </target>
>>    </mapping>
>> </objectTemplate>
>>
>> The CSV entry:
>> employeeID,firstname,lastname,otherMailbox,program,organization
>> "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>
>> MidPoint User after sync:
>> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>       version="1">
>>    <name>anpapecok4</name>
>> . . .
>>    <iteration>3</iteration>
>>    <iterationToken>4</iterationToken>
>>    <givenName>Andrej</givenName>
>>    <familyName>Papecok</familyName>
>> *   <emailAddress>anpapecok4 at bshp.edu
>> <anpapecok4 at bshp.edu></emailAddress>*
>>    <employeeNumber>papecok4</employeeNumber>
>> . . .
>> </user>
>>
>> This is midPoint git-v3.0.1devel-704-g0937a70
>>
>> Can you see any difference with your config...?
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/10/2014 05:13 PM, Jason Everling wrote:
>>
>> So I disabled or removed that template from the resource reactions, I set
>> it as the default template is sysconfig.
>>
>>  It still does it,    <emailAddress>null at domain.com</emailAddress> seems
>> to be affected,
>>
>>  Wierd though, I turned on debugging,
>>
>>  It shows the attribute being created correctly, you can see from the
>> log but in the gui and in the user xml it is null at domain.com
>>
>>
>> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>       extension:
>>           otherMailbox: [ hhernandez at local.org ]
>>           eduPersonAffiliation: [ student ]
>>       givenName: Herman
>>       familyName: Hernandes
>>       costCenter: PN
>>       employeeNumber: HE5019982
>>       credentials:
>>           password:
>>               value:
>> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
>> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>> cipherData=CipherDataType(cipherValue=[32 bytes])))
>>       activation:
>>           administrativeStatus: ENABLED
>>           effectiveStatus: ENABLED
>>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>       emailAddress: hehernandes at domain.com
>>       name: hehernandes
>>       employeeType: [ A2S ]
>>       locale: US
>>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>>       locality: San Antonio
>>       fullName: Herman Hernandes
>>       iteration: 0
>>
>> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Jason,
>>>
>>> I believe I have seen this couple of weeks ago when debugging the
>>> iterator problem... seems that I've forgotten about this.
>>>
>>> But as far I can remember, it has worked when the mapping was in global
>>> system template instead of the resource-referenced.
>>>
>>> If you can temporarily disable using of the template in resource and set
>>> the same template in System Configuration for UserType objects, can you
>>> please test the behaviour?
>>>
>>> Anyway it seems to be a bug, so after you could confirm the behaviour,
>>> I'd create a new issue.
>>>
>>> Thanks,
>>> I.
>>>
>>>
>>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>
>>>  Since I upgraded to 3.1 and I am not sure if this is related to the
>>> other CSV Resource issue.
>>>
>>>  Here is the mapping for the template, it worked fine in 3.0.1 so I do
>>> not know if anything changed, the email address is built using name + '@
>>> domain.com' but when the user is created I get null at domain.com, like it
>>> is not picking up the username from the first mapping
>>>
>>>      <mapping>
>>>         <name>Generate Username for CSV</name>
>>>         <source>
>>>             <name>tmpGivenName</name>
>>>             <path>givenName</path>
>>>         </source>
>>>         <source>
>>>             <name>tmpFamilyName</name>
>>>             <path>familyName</path>
>>>         </source>
>>>         <!-- Will generate username in the filastname format with
>>> iterator,
>>>               filastname
>>>               filastname2
>>>         -->
>>>         <expression>
>>>             <script>
>>>                 <code>
>>>                     tmpGivenNameInitial =
>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>                     if (iteration == 0) {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName))
>>>                     }
>>>                     else {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName)) + iterationToken
>>>                     }
>>>                 </code>
>>>             </script>
>>>         </expression>
>>>         <target>
>>>             <path>name</path>
>>>         </target>
>>>     </mapping>
>>>
>>>      <iteration>
>>>         <maxIterations>25</maxIterations>
>>>         <tokenExpression>
>>>             <script>
>>>                 <code>
>>>                     if (iteration == 0) {
>>>                     return "";
>>>                     } else {
>>>                     return "" + (iteration+1)
>>>                     }
>>>                 </code>
>>>             </script>
>>>         </tokenExpression>
>>>     </iteration>
>>>
>>>      <mapping>
>>>         <source>
>>>             <path>$user/name</path>
>>>         </source>
>>>         <expression>
>>>             <script>
>>>                 <language>
>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>> </language>
>>>                 <code>name + '@domain.com'</code>
>>>             </script>
>>>         </expression>
>>>         <target>
>>>             <path>emailAddress</path>
>>>         </target>
>>>     </mapping>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/34f5c6ca/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 20:29:21 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 13:29:21 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY4iFhFwuX0=s0QFPM735O8--hDoHN+4AVW+0KRd=-1u0w@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
 <CAFkZXY4iFhFwuX0=s0QFPM735O8--hDoHN+4AVW+0KRd=-1u0w@mail.gmail.com>
Message-ID: <CAFkZXY72+9_yEq97syLehLFtDC03oX=dBD+5-G7cJ4SkNwMq7Q@mail.gmail.com>

No that didnt help, I cannot see any other difference then besides the Org

JASON

On Wed, Dec 10, 2014 at 1:27 PM, Jason Everling <jeverling at bshp.edu> wrote:

> I am going to remove the condition on the role assignment and see of that
> helps, it is not needed because all people coming from the CSV are students
> anyways,
>
> JASON
>
> On Wed, Dec 10, 2014 at 1:25 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> No not really, looks to be the same,
>>
>> I attached the template,
>>
>> The only thing else besides creating the username and email address is
>> that it assigns the correct Org based on the costCenter attribute which is
>> mapped to program in my CSV and also assigns a role,
>>
>>
>>
>> On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> this is interesting: it seems to work:
>>>
>>> Right now I have resource with object template reference in unmatched
>>> action:
>>> . . .
>>>       <reaction>
>>>             <situation>unmatched</situation>
>>>             <objectTemplateRef
>>> oid="10000000-0000-0000-1111-000000000203"/>
>>>             <action ref=
>>> "http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>>          </reaction>
>>> . . .
>>>
>>> The template:
>>> <objectTemplate xmlns=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>                 oid="10000000-0000-0000-1111-000000000203"
>>>                 version="2">
>>>    <name>Default User Template (VIX)</name>
>>>    <iteration>
>>>       <maxIterations>999</maxIterations>
>>>       <tokenExpression>
>>>          <script>
>>>             <code>
>>>                             if (iteration == 0) {
>>>                             return "";
>>>                             } else {
>>>                             return "" + (iteration+1)
>>>                             }
>>>                         </code>
>>>          </script>
>>>       </tokenExpression>
>>>    </iteration>
>>>    <mapping>
>>>       <name>Generate Username</name>
>>>       <source>
>>>          <name>tmpGivenName</name>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >givenName</c:path>
>>>       </source>
>>>       <source>
>>>          <name>tmpFamilyName</name>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >familyName</c:path>
>>>       </source>
>>>       <expression>
>>>          <script>
>>>             <code>
>>>                     tmpGivenNameInitial =
>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>> (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>                     if (iteration == 0) {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName))
>>>                     }
>>>                     else {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName)) + iterationToken
>>>                     }
>>>                 </code>
>>>          </script>
>>>       </expression>
>>>       <target>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >name</c:path>
>>>       </target>
>>>    </mapping>
>>>    <mapping>
>>>       <source>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >$user/name</c:path>
>>>       </source>
>>>       <source>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >$user/emailAddress</c:path>
>>>       </source>
>>>       <expression>
>>>          <script>
>>>             <language>
>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>> </language>
>>>             <code>name+'@bshp.edu'</code>
>>>          </script>
>>>       </expression>
>>>       <target>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >emailAddress</c:path>
>>>       </target>
>>>    </mapping>
>>> </objectTemplate>
>>>
>>> The CSV entry:
>>> employeeID,firstname,lastname,otherMailbox,program,organization
>>> "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>>
>>> MidPoint User after sync:
>>> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>>       version="1">
>>>    <name>anpapecok4</name>
>>> . . .
>>>    <iteration>3</iteration>
>>>    <iterationToken>4</iterationToken>
>>>    <givenName>Andrej</givenName>
>>>    <familyName>Papecok</familyName>
>>> *   <emailAddress>anpapecok4 at bshp.edu
>>> <anpapecok4 at bshp.edu></emailAddress>*
>>>    <employeeNumber>papecok4</employeeNumber>
>>> . . .
>>> </user>
>>>
>>> This is midPoint git-v3.0.1devel-704-g0937a70
>>>
>>> Can you see any difference with your config...?
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 12/10/2014 05:13 PM, Jason Everling wrote:
>>>
>>> So I disabled or removed that template from the resource reactions, I
>>> set it as the default template is sysconfig.
>>>
>>>  It still does it,    <emailAddress>null at domain.com</emailAddress>
>>> seems to be affected,
>>>
>>>  Wierd though, I turned on debugging,
>>>
>>>  It shows the attribute being created correctly, you can see from the
>>> log but in the gui and in the user xml it is null at domain.com
>>>
>>>
>>> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>>       extension:
>>>           otherMailbox: [ hhernandez at local.org ]
>>>           eduPersonAffiliation: [ student ]
>>>       givenName: Herman
>>>       familyName: Hernandes
>>>       costCenter: PN
>>>       employeeNumber: HE5019982
>>>       credentials:
>>>           password:
>>>               value:
>>> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
>>> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>>> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>>> cipherData=CipherDataType(cipherValue=[32 bytes])))
>>>       activation:
>>>           administrativeStatus: ENABLED
>>>           effectiveStatus: ENABLED
>>>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>>       emailAddress: hehernandes at domain.com
>>>       name: hehernandes
>>>       employeeType: [ A2S ]
>>>       locale: US
>>>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>>>       locality: San Antonio
>>>       fullName: Herman Hernandes
>>>       iteration: 0
>>>
>>> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Jason,
>>>>
>>>> I believe I have seen this couple of weeks ago when debugging the
>>>> iterator problem... seems that I've forgotten about this.
>>>>
>>>> But as far I can remember, it has worked when the mapping was in global
>>>> system template instead of the resource-referenced.
>>>>
>>>> If you can temporarily disable using of the template in resource and
>>>> set the same template in System Configuration for UserType objects, can you
>>>> please test the behaviour?
>>>>
>>>> Anyway it seems to be a bug, so after you could confirm the behaviour,
>>>> I'd create a new issue.
>>>>
>>>> Thanks,
>>>> I.
>>>>
>>>>
>>>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>>
>>>>  Since I upgraded to 3.1 and I am not sure if this is related to the
>>>> other CSV Resource issue.
>>>>
>>>>  Here is the mapping for the template, it worked fine in 3.0.1 so I do
>>>> not know if anything changed, the email address is built using name + '@
>>>> domain.com' but when the user is created I get null at domain.com, like
>>>> it is not picking up the username from the first mapping
>>>>
>>>>      <mapping>
>>>>         <name>Generate Username for CSV</name>
>>>>         <source>
>>>>             <name>tmpGivenName</name>
>>>>             <path>givenName</path>
>>>>         </source>
>>>>         <source>
>>>>             <name>tmpFamilyName</name>
>>>>             <path>familyName</path>
>>>>         </source>
>>>>         <!-- Will generate username in the filastname format with
>>>> iterator,
>>>>               filastname
>>>>               filastname2
>>>>         -->
>>>>         <expression>
>>>>             <script>
>>>>                 <code>
>>>>                     tmpGivenNameInitial =
>>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>>                     if (iteration == 0) {
>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>> tmpFamilyName))
>>>>                     }
>>>>                     else {
>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>> tmpFamilyName)) + iterationToken
>>>>                     }
>>>>                 </code>
>>>>             </script>
>>>>         </expression>
>>>>         <target>
>>>>             <path>name</path>
>>>>         </target>
>>>>     </mapping>
>>>>
>>>>      <iteration>
>>>>         <maxIterations>25</maxIterations>
>>>>         <tokenExpression>
>>>>             <script>
>>>>                 <code>
>>>>                     if (iteration == 0) {
>>>>                     return "";
>>>>                     } else {
>>>>                     return "" + (iteration+1)
>>>>                     }
>>>>                 </code>
>>>>             </script>
>>>>         </tokenExpression>
>>>>     </iteration>
>>>>
>>>>      <mapping>
>>>>         <source>
>>>>             <path>$user/name</path>
>>>>         </source>
>>>>         <expression>
>>>>             <script>
>>>>                 <language>
>>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>>> </language>
>>>>                 <code>name + '@domain.com'</code>
>>>>             </script>
>>>>         </expression>
>>>>         <target>
>>>>             <path>emailAddress</path>
>>>>         </target>
>>>>     </mapping>
>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/f875be32/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec 10 20:35:28 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 10 Dec 2014 20:35:28 +0100
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
Message-ID: <5488A080.90404@evolveum.com>

I have re-added the Org assignment as I was testing last week. It's
still working.

This is what I added at the end of the template:

   <mapping>
      <authoritative>true</authoritative>
      <source>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">organization</c:path>
      </source>
      <expression>
         <assignmentTargetSearch>
            <targetType
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:OrgType</targetType>
            <filter
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
               <q:equal>
                  <q:path>name</q:path>
                  <expression>
                     <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$organization</c:path>
                  </expression>
               </q:equal>
            </filter>
         </assignmentTargetSearch>
      </expression>
      <target>
         <c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">assignment</c:path>
      </target>
   </mapping>

User:
<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="9be4e4c9-66fc-4fbe-83c8-286ebfb9ac6e"
      version="1">
   <name>anpapecok5</name>
   <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
type="OrgType"><!-- Posam --></parentOrgRef>
   <metadata>
      <createTimestamp>2014-12-10T20:30:38.743+01:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002"
type="UserType"><!-- administrator --></creatorRef>
     
<createChannel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync</createChannel>
   </metadata>
   <linkRef oid="abb8d8cc-507b-4210-aac7-3777c37b4b5b"
type="ShadowType"><!-- papecok5 --></linkRef>
   <assignment id="1">
      <targetRef
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="00000000-8888-6666-0000-100000000030"
                 type="c:OrgType"><!-- MyOrg --></targetRef>
   </assignment>
   <activation>
      <effectiveStatus>disabled</effectiveStatus>
      <disableTimestamp>2014-12-10T20:30:38.086+01:00</disableTimestamp>
   </activation>
   <iteration>4</iteration>
   <iterationToken>5</iterationToken>
   <givenName>Andrej</givenName>
   <familyName>Papecok</familyName>
   <emailAddress>anpapecok5 at bshp.edu</emailAddress>
   <employeeNumber>papecok5</employeeNumber>
   <costCenter>xxx</costCenter>
   <organization>MyOrg</organization>
. . .
</user>

So unless there is any trick hidden in the other mappings, maybe the
issue was resolved since your snapshot... Can you post the exact
midPoint version?

I.


On 12/10/2014 08:25 PM, Jason Everling wrote:
> No not really, looks to be the same,
>
> I attached the template,
>
> The only thing else besides creating the username and email address is
> that it assigns the correct Org based on the costCenter attribute
> which is mapped to program in my CSV and also assigns a role,
>
>
>
> On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     this is interesting: it seems to work:
>
>     Right now I have resource with object template reference in
>     unmatched action:
>     . . .
>           <reaction>
>                 <situation>unmatched</situation>
>                 <objectTemplateRef
>     oid="10000000-0000-0000-1111-000000000203"/>
>                 <action
>     ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>     <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>              </reaction>
>     . . .
>
>     The template:
>     <objectTemplate
>     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                     oid="10000000-0000-0000-1111-000000000203"
>                     version="2">
>        <name>Default User Template (VIX)</name>
>        <iteration>
>           <maxIterations>999</maxIterations>
>           <tokenExpression>
>              <script>
>                 <code>
>                                 if (iteration == 0) {
>                                 return "";
>                                 } else {
>                                 return "" + (iteration+1)
>                                 }
>                             </code>
>              </script>
>           </tokenExpression>
>        </iteration>
>        <mapping>
>           <name>Generate Username</name>
>           <source>
>              <name>tmpGivenName</name>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>givenName</c:path>
>           </source>
>           <source>
>              <name>tmpFamilyName</name>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>familyName</c:path>
>           </source>
>           <expression>
>              <script>
>                 <code>
>                         tmpGivenNameInitial =
>     basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>                         if (iteration == 0) {
>                         basic.norm(basic.stringify(tmpGivenNameInitial
>     + tmpFamilyName))
>                         }
>                         else {
>                         basic.norm(basic.stringify(tmpGivenNameInitial
>     + tmpFamilyName)) + iterationToken
>                         }
>                     </code>
>              </script>
>           </expression>
>           <target>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>name</c:path>
>           </target>
>        </mapping>
>        <mapping>
>           <source>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$user/name</c:path>
>           </source>
>           <source>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$user/emailAddress</c:path>
>           </source>
>           <expression>
>              <script>
>                
>     <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>                 <code>name+'@bshp.edu <mailto:name%2B%27 at bshp.edu>'</code>
>              </script>
>           </expression>
>           <target>
>              <c:path
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>emailAddress</c:path>
>           </target>
>        </mapping>
>     </objectTemplate>
>
>     The CSV entry:
>     employeeID,firstname,lastname,otherMailbox,program,organization
>     "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>
>     MidPoint User after sync:
>     <user
>     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>           oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>           version="1">
>        <name>anpapecok4</name>
>     . . .
>        <iteration>3</iteration>
>        <iterationToken>4</iterationToken>
>        <givenName>Andrej</givenName>
>        <familyName>Papecok</familyName>
>     *   <emailAddress>anpapecok4 at bshp.edu
>     <mailto:anpapecok4 at bshp.edu></emailAddress>*
>        <employeeNumber>papecok4</employeeNumber>
>     . . .
>     </user>
>
>     This is midPoint git-v3.0.1devel-704-g0937a70
>
>     Can you see any difference with your config...?
>
>     Regards,
>     Ivan
>
>
>     On 12/10/2014 05:13 PM, Jason Everling wrote:
>>     So I disabled or removed that template from the resource
>>     reactions, I set it as the default template is sysconfig.
>>
>>     It still does it,    <emailAddress>null at domain.com
>>     <mailto:null at domain.com></emailAddress> seems to be affected,
>>
>>     Wierd though, I turned on debugging,
>>
>>     It shows the attribute being created correctly, you can see from
>>     the log but in the gui and in the user xml it is null at domain.com
>>     <mailto:null at domain.com>
>>
>>     ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>       user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>           extension: 
>>               otherMailbox: [ hhernandez at local.org
>>     <mailto:hhernandez at local.org> ]
>>               eduPersonAffiliation: [ student ]
>>           givenName: Herman
>>           familyName: Hernandes
>>           costCenter: PN
>>           employeeNumber: HE5019982
>>           credentials: 
>>               password: 
>>                   value:
>>     ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>>     keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>>     cipherData=CipherDataType(cipherValue=[32 bytes])))
>>           activation: 
>>               administrativeStatus: ENABLED
>>               effectiveStatus: ENABLED
>>               enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>           emailAddress: hehernandes at domain.com
>>     <mailto:hehernandes at domain.com>
>>           name: hehernandes
>>           employeeType: [ A2S ]
>>           locale: US
>>           organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>>           locality: San Antonio
>>           fullName: Herman Hernandes
>>           iteration: 0
>>
>>     On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Jason,
>>
>>         I believe I have seen this couple of weeks ago when debugging
>>         the iterator problem... seems that I've forgotten about this.
>>
>>         But as far I can remember, it has worked when the mapping was
>>         in global system template instead of the resource-referenced.
>>
>>         If you can temporarily disable using of the template in
>>         resource and set the same template in System Configuration
>>         for UserType objects, can you please test the behaviour?
>>
>>         Anyway it seems to be a bug, so after you could confirm the
>>         behaviour, I'd create a new issue.
>>
>>         Thanks,
>>         I.
>>
>>
>>         On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>         Since I upgraded to 3.1 and I am not sure if this is related
>>>         to the other CSV Resource issue.
>>>
>>>         Here is the mapping for the template, it worked fine in
>>>         3.0.1 so I do not know if anything changed, the email
>>>         address is built using name + '@domain.com
>>>         <http://domain.com>' but when the user is created I get
>>>         null at domain.com <mailto:null at domain.com>, like it is not
>>>         picking up the username from the first mapping
>>>
>>>             <mapping>
>>>                 <name>Generate Username for CSV</name>
>>>                 <source>
>>>                     <name>tmpGivenName</name>
>>>                     <path>givenName</path>
>>>                 </source>
>>>                 <source>
>>>                     <name>tmpFamilyName</name>
>>>                     <path>familyName</path>
>>>                 </source>
>>>                 <!-- Will generate username in the filastname format
>>>         with iterator,
>>>                       filastname
>>>                       filastname2
>>>                 -->
>>>                 <expression>
>>>                     <script>
>>>                         <code>
>>>                             tmpGivenNameInitial =
>>>         basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>                            
>>>         (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>                             if (iteration == 0) {
>>>                            
>>>         basic.norm(basic.stringify(tmpGivenNameInitial + tmpFamilyName))
>>>                             }
>>>                             else {
>>>                            
>>>         basic.norm(basic.stringify(tmpGivenNameInitial +
>>>         tmpFamilyName)) + iterationToken
>>>                             }
>>>                         </code>
>>>                     </script>
>>>                 </expression>
>>>                 <target>
>>>                     <path>name</path>
>>>                 </target>
>>>             </mapping>
>>>
>>>             <iteration>
>>>                 <maxIterations>25</maxIterations>
>>>                 <tokenExpression>
>>>                     <script>
>>>                         <code>
>>>                             if (iteration == 0) {
>>>                             return "";
>>>                             } else {
>>>                             return "" + (iteration+1)
>>>                             }
>>>                         </code>
>>>                     </script>
>>>                 </tokenExpression>
>>>             </iteration>
>>>
>>>             <mapping>
>>>                 <source>
>>>                     <path>$user/name</path>
>>>                 </source>
>>>                 <expression>
>>>                     <script>
>>>                        
>>>         <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>>>                         <code>name + '@domain.com
>>>         <http://domain.com>'</code>
>>>                     </script>
>>>                 </expression>
>>>                 <target>
>>>                     <path>emailAddress</path>
>>>                 </target>
>>>             </mapping>
>>>
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>           _____________________________________________
>>           "Semper Id(e)M Vix."
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/57db925a/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 20:40:59 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 13:40:59 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <5488A080.90404@evolveum.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
 <5488A080.90404@evolveum.com>
Message-ID: <CAFkZXY66mmsHvMidXfEBbgqZhzC7NoSLC4cXYuWhRUuPdWO6sA@mail.gmail.com>

I am using,

git-v3.0.1devel-693-g11c758b

I will update to the latest since I am behind what yours is at and let you
know

JASON

On Wed, Dec 10, 2014 at 1:35 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  I have re-added the Org assignment as I was testing last week. It's still
> working.
>
> This is what I added at the end of the template:
>
>    <mapping>
>       <authoritative>true</authoritative>
>       <source>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >organization</c:path>
>       </source>
>       <expression>
>          <assignmentTargetSearch>
>             <targetType xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >c:OrgType</targetType>
>             <filter xmlns:q=
> "http://prism.evolveum.com/xml/ns/public/query-3"
> <http://prism.evolveum.com/xml/ns/public/query-3>>
>                <q:equal>
>                   <q:path>name</q:path>
>                   <expression>
>                      <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >$organization</c:path>
>                   </expression>
>                </q:equal>
>             </filter>
>          </assignmentTargetSearch>
>       </expression>
>       <target>
>          <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >assignment</c:path>
>       </target>
>    </mapping>
>
> User:
> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>       oid="9be4e4c9-66fc-4fbe-83c8-286ebfb9ac6e"
>       version="1">
>    <name>anpapecok5</name>
>    <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
> type="OrgType"><!-- Posam --></parentOrgRef>
>    <metadata>
>       <createTimestamp>2014-12-10T20:30:38.743+01:00</createTimestamp>
>       <creatorRef oid="00000000-0000-0000-0000-000000000002"
> type="UserType"><!-- administrator --></creatorRef>
>       <createChannel>
> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
> </createChannel>
>    </metadata>
>    <linkRef oid="abb8d8cc-507b-4210-aac7-3777c37b4b5b"
> type="ShadowType"><!-- papecok5 --></linkRef>
>    <assignment id="1">
>       <targetRef xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                  oid="00000000-8888-6666-0000-100000000030"
>                  type="c:OrgType"><!-- MyOrg --></targetRef>
>    </assignment>
>    <activation>
>       <effectiveStatus>disabled</effectiveStatus>
>       <disableTimestamp>2014-12-10T20:30:38.086+01:00</disableTimestamp>
>    </activation>
>    <iteration>4</iteration>
>    <iterationToken>5</iterationToken>
>    <givenName>Andrej</givenName>
>    <familyName>Papecok</familyName>
>    <emailAddress>anpapecok5 at bshp.edu</emailAddress>
>    <employeeNumber>papecok5</employeeNumber>
>    <costCenter>xxx</costCenter>
>    <organization>MyOrg</organization>
> . . .
> </user>
>
> So unless there is any trick hidden in the other mappings, maybe the issue
> was resolved since your snapshot... Can you post the exact midPoint version?
>
> I.
>
>
>
> On 12/10/2014 08:25 PM, Jason Everling wrote:
>
> No not really, looks to be the same,
>
>  I attached the template,
>
>  The only thing else besides creating the username and email address is
> that it assigns the correct Org based on the costCenter attribute which is
> mapped to program in my CSV and also assigns a role,
>
>
>
> On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> this is interesting: it seems to work:
>>
>> Right now I have resource with object template reference in unmatched
>> action:
>> . . .
>>       <reaction>
>>             <situation>unmatched</situation>
>>             <objectTemplateRef
>> oid="10000000-0000-0000-1111-000000000203"/>
>>             <action ref=
>> "http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>          </reaction>
>> . . .
>>
>> The template:
>> <objectTemplate xmlns=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>                 oid="10000000-0000-0000-1111-000000000203"
>>                 version="2">
>>    <name>Default User Template (VIX)</name>
>>    <iteration>
>>       <maxIterations>999</maxIterations>
>>       <tokenExpression>
>>          <script>
>>             <code>
>>                             if (iteration == 0) {
>>                             return "";
>>                             } else {
>>                             return "" + (iteration+1)
>>                             }
>>                         </code>
>>          </script>
>>       </tokenExpression>
>>    </iteration>
>>    <mapping>
>>        <name>Generate Username</name>
>>       <source>
>>          <name>tmpGivenName</name>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >givenName</c:path>
>>       </source>
>>       <source>
>>          <name>tmpFamilyName</name>
>>           <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >familyName</c:path>
>>       </source>
>>       <expression>
>>          <script>
>>             <code>
>>                     tmpGivenNameInitial =
>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>> (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>                     if (iteration == 0) {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName))
>>                     }
>>                     else {
>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>> tmpFamilyName)) + iterationToken
>>                     }
>>                 </code>
>>          </script>
>>       </expression>
>>       <target>
>>           <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >name</c:path>
>>       </target>
>>    </mapping>
>>    <mapping>
>>       <source>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >$user/name</c:path>
>>       </source>
>>       <source>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >$user/emailAddress</c:path>
>>       </source>
>>       <expression>
>>          <script>
>>             <language>
>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>> </language>
>>              <code>name+'@bshp.edu'</code>
>>          </script>
>>       </expression>
>>       <target>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >emailAddress</c:path>
>>       </target>
>>    </mapping>
>> </objectTemplate>
>>
>> The CSV entry:
>> employeeID,firstname,lastname,otherMailbox,program,organization
>> "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>
>> MidPoint User after sync:
>> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>       version="1">
>>    <name>anpapecok4</name>
>> . . .
>>    <iteration>3</iteration>
>>    <iterationToken>4</iterationToken>
>>    <givenName>Andrej</givenName>
>>    <familyName>Papecok</familyName>
>> *   <emailAddress>anpapecok4 at bshp.edu
>> <anpapecok4 at bshp.edu></emailAddress>*
>>    <employeeNumber>papecok4</employeeNumber>
>> . . .
>> </user>
>>
>> This is midPoint git-v3.0.1devel-704-g0937a70
>>
>> Can you see any difference with your config...?
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/10/2014 05:13 PM, Jason Everling wrote:
>>
>> So I disabled or removed that template from the resource reactions, I set
>> it as the default template is sysconfig.
>>
>>  It still does it,    <emailAddress>null at domain.com</emailAddress> seems
>> to be affected,
>>
>>  Wierd though, I turned on debugging,
>>
>>  It shows the attribute being created correctly, you can see from the
>> log but in the gui and in the user xml it is null at domain.com
>>
>>
>> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>       extension:
>>           otherMailbox: [ hhernandez at local.org ]
>>           eduPersonAffiliation: [ student ]
>>       givenName: Herman
>>       familyName: Hernandes
>>       costCenter: PN
>>       employeeNumber: HE5019982
>>       credentials:
>>           password:
>>               value:
>> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
>> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>> cipherData=CipherDataType(cipherValue=[32 bytes])))
>>       activation:
>>           administrativeStatus: ENABLED
>>           effectiveStatus: ENABLED
>>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>       emailAddress: hehernandes at domain.com
>>       name: hehernandes
>>       employeeType: [ A2S ]
>>       locale: US
>>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>>       locality: San Antonio
>>       fullName: Herman Hernandes
>>       iteration: 0
>>
>> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Jason,
>>>
>>> I believe I have seen this couple of weeks ago when debugging the
>>> iterator problem... seems that I've forgotten about this.
>>>
>>> But as far I can remember, it has worked when the mapping was in global
>>> system template instead of the resource-referenced.
>>>
>>> If you can temporarily disable using of the template in resource and set
>>> the same template in System Configuration for UserType objects, can you
>>> please test the behaviour?
>>>
>>> Anyway it seems to be a bug, so after you could confirm the behaviour,
>>> I'd create a new issue.
>>>
>>> Thanks,
>>> I.
>>>
>>>
>>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>
>>>  Since I upgraded to 3.1 and I am not sure if this is related to the
>>> other CSV Resource issue.
>>>
>>>  Here is the mapping for the template, it worked fine in 3.0.1 so I do
>>> not know if anything changed, the email address is built using name + '@
>>> domain.com' but when the user is created I get null at domain.com, like it
>>> is not picking up the username from the first mapping
>>>
>>>      <mapping>
>>>         <name>Generate Username for CSV</name>
>>>         <source>
>>>             <name>tmpGivenName</name>
>>>             <path>givenName</path>
>>>         </source>
>>>         <source>
>>>             <name>tmpFamilyName</name>
>>>             <path>familyName</path>
>>>         </source>
>>>         <!-- Will generate username in the filastname format with
>>> iterator,
>>>               filastname
>>>               filastname2
>>>         -->
>>>         <expression>
>>>             <script>
>>>                 <code>
>>>                     tmpGivenNameInitial =
>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>                     if (iteration == 0) {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName))
>>>                     }
>>>                     else {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName)) + iterationToken
>>>                     }
>>>                 </code>
>>>             </script>
>>>         </expression>
>>>         <target>
>>>             <path>name</path>
>>>         </target>
>>>     </mapping>
>>>
>>>      <iteration>
>>>         <maxIterations>25</maxIterations>
>>>         <tokenExpression>
>>>             <script>
>>>                 <code>
>>>                     if (iteration == 0) {
>>>                     return "";
>>>                     } else {
>>>                     return "" + (iteration+1)
>>>                     }
>>>                 </code>
>>>             </script>
>>>         </tokenExpression>
>>>     </iteration>
>>>
>>>      <mapping>
>>>         <source>
>>>             <path>$user/name</path>
>>>         </source>
>>>         <expression>
>>>             <script>
>>>                 <language>
>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>> </language>
>>>                 <code>name + '@domain.com'</code>
>>>             </script>
>>>         </expression>
>>>         <target>
>>>             <path>emailAddress</path>
>>>         </target>
>>>     </mapping>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/a4f67abb/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 21:17:24 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 14:17:24 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY66mmsHvMidXfEBbgqZhzC7NoSLC4cXYuWhRUuPdWO6sA@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
 <5488A080.90404@evolveum.com>
 <CAFkZXY66mmsHvMidXfEBbgqZhzC7NoSLC4cXYuWhRUuPdWO6sA@mail.gmail.com>
Message-ID: <CAFkZXY5wWJA3uWW6GjMOZM8fFN4EBssS5MZ4fr-tsGssf+c3ow@mail.gmail.com>

While I am downloading, there has to be something in mine that is doing
this, I noticed on yours also that the

<parentOrgRef oid="00000000-8888-6666-0000-100000000030"
type="OrgType"><!-- Posam --></parentOrgRef>

is added to the user object but it is still not added on mine when I use
the CSV resource but does when using the GUI,

Strange...

JASON

On Wed, Dec 10, 2014 at 1:40 PM, Jason Everling <jeverling at bshp.edu> wrote:

> I am using,
>
> git-v3.0.1devel-693-g11c758b
>
> I will update to the latest since I am behind what yours is at and let you
> know
>
> JASON
>
> On Wed, Dec 10, 2014 at 1:35 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  I have re-added the Org assignment as I was testing last week. It's
>> still working.
>>
>> This is what I added at the end of the template:
>>
>>    <mapping>
>>       <authoritative>true</authoritative>
>>       <source>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >organization</c:path>
>>       </source>
>>       <expression>
>>          <assignmentTargetSearch>
>>             <targetType xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >c:OrgType</targetType>
>>             <filter xmlns:q=
>> "http://prism.evolveum.com/xml/ns/public/query-3"
>> <http://prism.evolveum.com/xml/ns/public/query-3>>
>>                <q:equal>
>>                   <q:path>name</q:path>
>>                   <expression>
>>                      <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >$organization</c:path>
>>                   </expression>
>>                </q:equal>
>>             </filter>
>>          </assignmentTargetSearch>
>>       </expression>
>>       <target>
>>          <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >assignment</c:path>
>>       </target>
>>    </mapping>
>>
>> User:
>> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>       oid="9be4e4c9-66fc-4fbe-83c8-286ebfb9ac6e"
>>       version="1">
>>    <name>anpapecok5</name>
>>    <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
>> type="OrgType"><!-- Posam --></parentOrgRef>
>>    <metadata>
>>       <createTimestamp>2014-12-10T20:30:38.743+01:00</createTimestamp>
>>       <creatorRef oid="00000000-0000-0000-0000-000000000002"
>> type="UserType"><!-- administrator --></creatorRef>
>>       <createChannel>
>> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
>> </createChannel>
>>    </metadata>
>>    <linkRef oid="abb8d8cc-507b-4210-aac7-3777c37b4b5b"
>> type="ShadowType"><!-- papecok5 --></linkRef>
>>    <assignment id="1">
>>       <targetRef xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>                  oid="00000000-8888-6666-0000-100000000030"
>>                  type="c:OrgType"><!-- MyOrg --></targetRef>
>>    </assignment>
>>    <activation>
>>       <effectiveStatus>disabled</effectiveStatus>
>>       <disableTimestamp>2014-12-10T20:30:38.086+01:00</disableTimestamp>
>>    </activation>
>>    <iteration>4</iteration>
>>    <iterationToken>5</iterationToken>
>>    <givenName>Andrej</givenName>
>>    <familyName>Papecok</familyName>
>>    <emailAddress>anpapecok5 at bshp.edu</emailAddress>
>>    <employeeNumber>papecok5</employeeNumber>
>>    <costCenter>xxx</costCenter>
>>    <organization>MyOrg</organization>
>> . . .
>> </user>
>>
>> So unless there is any trick hidden in the other mappings, maybe the
>> issue was resolved since your snapshot... Can you post the exact midPoint
>> version?
>>
>> I.
>>
>>
>>
>> On 12/10/2014 08:25 PM, Jason Everling wrote:
>>
>> No not really, looks to be the same,
>>
>>  I attached the template,
>>
>>  The only thing else besides creating the username and email address is
>> that it assigns the correct Org based on the costCenter attribute which is
>> mapped to program in my CSV and also assigns a role,
>>
>>
>>
>> On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> this is interesting: it seems to work:
>>>
>>> Right now I have resource with object template reference in unmatched
>>> action:
>>> . . .
>>>       <reaction>
>>>             <situation>unmatched</situation>
>>>             <objectTemplateRef
>>> oid="10000000-0000-0000-1111-000000000203"/>
>>>             <action ref=
>>> "http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>>          </reaction>
>>> . . .
>>>
>>> The template:
>>> <objectTemplate xmlns=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>                 oid="10000000-0000-0000-1111-000000000203"
>>>                 version="2">
>>>    <name>Default User Template (VIX)</name>
>>>    <iteration>
>>>       <maxIterations>999</maxIterations>
>>>       <tokenExpression>
>>>          <script>
>>>             <code>
>>>                             if (iteration == 0) {
>>>                             return "";
>>>                             } else {
>>>                             return "" + (iteration+1)
>>>                             }
>>>                         </code>
>>>          </script>
>>>       </tokenExpression>
>>>    </iteration>
>>>    <mapping>
>>>        <name>Generate Username</name>
>>>       <source>
>>>          <name>tmpGivenName</name>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >givenName</c:path>
>>>       </source>
>>>       <source>
>>>          <name>tmpFamilyName</name>
>>>           <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >familyName</c:path>
>>>       </source>
>>>       <expression>
>>>          <script>
>>>             <code>
>>>                     tmpGivenNameInitial =
>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>> (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>                     if (iteration == 0) {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName))
>>>                     }
>>>                     else {
>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>> tmpFamilyName)) + iterationToken
>>>                     }
>>>                 </code>
>>>          </script>
>>>       </expression>
>>>       <target>
>>>           <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >name</c:path>
>>>       </target>
>>>    </mapping>
>>>    <mapping>
>>>       <source>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >$user/name</c:path>
>>>       </source>
>>>       <source>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >$user/emailAddress</c:path>
>>>       </source>
>>>       <expression>
>>>          <script>
>>>             <language>
>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>> </language>
>>>              <code>name+'@bshp.edu'</code>
>>>          </script>
>>>       </expression>
>>>       <target>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >emailAddress</c:path>
>>>       </target>
>>>    </mapping>
>>> </objectTemplate>
>>>
>>> The CSV entry:
>>> employeeID,firstname,lastname,otherMailbox,program,organization
>>> "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>>
>>> MidPoint User after sync:
>>> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>>       version="1">
>>>    <name>anpapecok4</name>
>>> . . .
>>>    <iteration>3</iteration>
>>>    <iterationToken>4</iterationToken>
>>>    <givenName>Andrej</givenName>
>>>    <familyName>Papecok</familyName>
>>> *   <emailAddress>anpapecok4 at bshp.edu
>>> <anpapecok4 at bshp.edu></emailAddress>*
>>>    <employeeNumber>papecok4</employeeNumber>
>>> . . .
>>> </user>
>>>
>>> This is midPoint git-v3.0.1devel-704-g0937a70
>>>
>>> Can you see any difference with your config...?
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 12/10/2014 05:13 PM, Jason Everling wrote:
>>>
>>> So I disabled or removed that template from the resource reactions, I
>>> set it as the default template is sysconfig.
>>>
>>>  It still does it,    <emailAddress>null at domain.com</emailAddress>
>>> seems to be affected,
>>>
>>>  Wierd though, I turned on debugging,
>>>
>>>  It shows the attribute being created correctly, you can see from the
>>> log but in the gui and in the user xml it is null at domain.com
>>>
>>>
>>> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>>       extension:
>>>           otherMailbox: [ hhernandez at local.org ]
>>>           eduPersonAffiliation: [ student ]
>>>       givenName: Herman
>>>       familyName: Hernandes
>>>       costCenter: PN
>>>       employeeNumber: HE5019982
>>>       credentials:
>>>           password:
>>>               value:
>>> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
>>> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>>> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>>> cipherData=CipherDataType(cipherValue=[32 bytes])))
>>>       activation:
>>>           administrativeStatus: ENABLED
>>>           effectiveStatus: ENABLED
>>>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>>       emailAddress: hehernandes at domain.com
>>>       name: hehernandes
>>>       employeeType: [ A2S ]
>>>       locale: US
>>>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>>>       locality: San Antonio
>>>       fullName: Herman Hernandes
>>>       iteration: 0
>>>
>>> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Jason,
>>>>
>>>> I believe I have seen this couple of weeks ago when debugging the
>>>> iterator problem... seems that I've forgotten about this.
>>>>
>>>> But as far I can remember, it has worked when the mapping was in global
>>>> system template instead of the resource-referenced.
>>>>
>>>> If you can temporarily disable using of the template in resource and
>>>> set the same template in System Configuration for UserType objects, can you
>>>> please test the behaviour?
>>>>
>>>> Anyway it seems to be a bug, so after you could confirm the behaviour,
>>>> I'd create a new issue.
>>>>
>>>> Thanks,
>>>> I.
>>>>
>>>>
>>>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>>
>>>>  Since I upgraded to 3.1 and I am not sure if this is related to the
>>>> other CSV Resource issue.
>>>>
>>>>  Here is the mapping for the template, it worked fine in 3.0.1 so I do
>>>> not know if anything changed, the email address is built using name + '@
>>>> domain.com' but when the user is created I get null at domain.com, like
>>>> it is not picking up the username from the first mapping
>>>>
>>>>      <mapping>
>>>>         <name>Generate Username for CSV</name>
>>>>         <source>
>>>>             <name>tmpGivenName</name>
>>>>             <path>givenName</path>
>>>>         </source>
>>>>         <source>
>>>>             <name>tmpFamilyName</name>
>>>>             <path>familyName</path>
>>>>         </source>
>>>>         <!-- Will generate username in the filastname format with
>>>> iterator,
>>>>               filastname
>>>>               filastname2
>>>>         -->
>>>>         <expression>
>>>>             <script>
>>>>                 <code>
>>>>                     tmpGivenNameInitial =
>>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>>                     if (iteration == 0) {
>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>> tmpFamilyName))
>>>>                     }
>>>>                     else {
>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>> tmpFamilyName)) + iterationToken
>>>>                     }
>>>>                 </code>
>>>>             </script>
>>>>         </expression>
>>>>         <target>
>>>>             <path>name</path>
>>>>         </target>
>>>>     </mapping>
>>>>
>>>>      <iteration>
>>>>         <maxIterations>25</maxIterations>
>>>>         <tokenExpression>
>>>>             <script>
>>>>                 <code>
>>>>                     if (iteration == 0) {
>>>>                     return "";
>>>>                     } else {
>>>>                     return "" + (iteration+1)
>>>>                     }
>>>>                 </code>
>>>>             </script>
>>>>         </tokenExpression>
>>>>     </iteration>
>>>>
>>>>      <mapping>
>>>>         <source>
>>>>             <path>$user/name</path>
>>>>         </source>
>>>>         <expression>
>>>>             <script>
>>>>                 <language>
>>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>>> </language>
>>>>                 <code>name + '@domain.com'</code>
>>>>             </script>
>>>>         </expression>
>>>>         <target>
>>>>             <path>emailAddress</path>
>>>>         </target>
>>>>     </mapping>
>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/b7af98c6/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec 10 22:23:50 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 10 Dec 2014 22:23:50 +0100
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY5wWJA3uWW6GjMOZM8fFN4EBssS5MZ4fr-tsGssf+c3ow@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
 <5488A080.90404@evolveum.com>
 <CAFkZXY66mmsHvMidXfEBbgqZhzC7NoSLC4cXYuWhRUuPdWO6sA@mail.gmail.com>
 <CAFkZXY5wWJA3uWW6GjMOZM8fFN4EBssS5MZ4fr-tsGssf+c3ow@mail.gmail.com>
Message-ID: <5488B9E6.1000901@evolveum.com>

Jason,

that is really strange, but I'm hoping that it's not happening after you
upgrade. I don't have the very very latest midPoint though.

Regards,
Ivan

On 12/10/2014 09:17 PM, Jason Everling wrote:
> While I am downloading, there has to be something in mine that is
> doing this, I noticed on yours also that the 
>
> <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
> type="OrgType"><!-- Posam --></parentOrgRef> 
>
> is added to the user object but it is still not added on mine when I
> use the CSV resource but does when using the GUI,
>
> Strange...
>
> JASON
>
> On Wed, Dec 10, 2014 at 1:40 PM, Jason Everling <jeverling at bshp.edu
> <mailto:jeverling at bshp.edu>> wrote:
>
>     I am using,
>
>     git-v3.0.1devel-693-g11c758b
>
>     I will update to the latest since I am behind what yours is at and
>     let you know
>
>     JASON
>
>     On Wed, Dec 10, 2014 at 1:35 PM, Ivan Noris
>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
>         I have re-added the Org assignment as I was testing last week.
>         It's still working.
>
>         This is what I added at the end of the template:
>
>            <mapping>
>               <authoritative>true</authoritative>
>               <source>
>                  <c:path
>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>organization</c:path>
>               </source>
>               <expression>
>                  <assignmentTargetSearch>
>                     <targetType
>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>c:OrgType</targetType>
>                     <filter
>         xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>         <http://prism.evolveum.com/xml/ns/public/query-3>>
>                        <q:equal>
>                           <q:path>name</q:path>
>                           <expression>
>                              <c:path
>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$organization</c:path>
>                           </expression>
>                        </q:equal>
>                     </filter>
>                  </assignmentTargetSearch>
>               </expression>
>               <target>
>                  <c:path
>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>assignment</c:path>
>               </target>
>            </mapping>
>
>         User:
>         <user
>         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>               oid="9be4e4c9-66fc-4fbe-83c8-286ebfb9ac6e"
>               version="1">
>            <name>anpapecok5</name>
>            <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
>         type="OrgType"><!-- Posam --></parentOrgRef>
>            <metadata>
>              
>         <createTimestamp>2014-12-10T20:30:38.743+01:00</createTimestamp>
>               <creatorRef oid="00000000-0000-0000-0000-000000000002"
>         type="UserType"><!-- administrator --></creatorRef>
>              
>         <createChannel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync</createChannel>
>            </metadata>
>            <linkRef oid="abb8d8cc-507b-4210-aac7-3777c37b4b5b"
>         type="ShadowType"><!-- papecok5 --></linkRef>
>            <assignment id="1">
>               <targetRef
>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>                          oid="00000000-8888-6666-0000-100000000030"
>                          type="c:OrgType"><!-- MyOrg --></targetRef>
>            </assignment>
>            <activation>
>               <effectiveStatus>disabled</effectiveStatus>
>              
>         <disableTimestamp>2014-12-10T20:30:38.086+01:00</disableTimestamp>
>            </activation>
>            <iteration>4</iteration>
>            <iterationToken>5</iterationToken>
>            <givenName>Andrej</givenName>
>            <familyName>Papecok</familyName>
>            <emailAddress>anpapecok5 at bshp.edu
>         <mailto:anpapecok5 at bshp.edu></emailAddress>
>            <employeeNumber>papecok5</employeeNumber>
>            <costCenter>xxx</costCenter>
>            <organization>MyOrg</organization>
>         . . .
>         </user>
>
>         So unless there is any trick hidden in the other mappings,
>         maybe the issue was resolved since your snapshot... Can you
>         post the exact midPoint version?
>
>         I.
>
>
>
>         On 12/10/2014 08:25 PM, Jason Everling wrote:
>>         No not really, looks to be the same,
>>
>>         I attached the template,
>>
>>         The only thing else besides creating the username and email
>>         address is that it assigns the correct Org based on the
>>         costCenter attribute which is mapped to program in my CSV and
>>         also assigns a role,
>>
>>
>>
>>         On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris
>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>             Hi Jason,
>>
>>             this is interesting: it seems to work:
>>
>>             Right now I have resource with object template reference
>>             in unmatched action:
>>             . . .
>>                   <reaction>
>>                         <situation>unmatched</situation>
>>                         <objectTemplateRef
>>             oid="10000000-0000-0000-1111-000000000203"/>
>>                         <action
>>             ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>>             <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>                      </reaction>
>>             . . .
>>
>>             The template:
>>             <objectTemplate
>>             xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>                             oid="10000000-0000-0000-1111-000000000203"
>>                             version="2">
>>                <name>Default User Template (VIX)</name>
>>                <iteration>
>>                   <maxIterations>999</maxIterations>
>>                   <tokenExpression>
>>                      <script>
>>                         <code>
>>                                         if (iteration == 0) {
>>                                         return "";
>>                                         } else {
>>                                         return "" + (iteration+1)
>>                                         }
>>                                     </code>
>>                      </script>
>>                   </tokenExpression>
>>                </iteration>
>>                <mapping>
>>                   <name>Generate Username</name>
>>                   <source>
>>                      <name>tmpGivenName</name>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>givenName</c:path>
>>                   </source>
>>                   <source>
>>                      <name>tmpFamilyName</name>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>familyName</c:path>
>>                   </source>
>>                   <expression>
>>                      <script>
>>                         <code>
>>                                 tmpGivenNameInitial =
>>             basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>             (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>                                 if (iteration == 0) {
>>                                
>>             basic.norm(basic.stringify(tmpGivenNameInitial +
>>             tmpFamilyName))
>>                                 }
>>                                 else {
>>                                
>>             basic.norm(basic.stringify(tmpGivenNameInitial +
>>             tmpFamilyName)) + iterationToken
>>                                 }
>>                             </code>
>>                      </script>
>>                   </expression>
>>                   <target>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>name</c:path>
>>                   </target>
>>                </mapping>
>>                <mapping>
>>                   <source>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$user/name</c:path>
>>                   </source>
>>                   <source>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$user/emailAddress</c:path>
>>                   </source>
>>                   <expression>
>>                      <script>
>>                        
>>             <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>>                         <code>name+'@bshp.edu
>>             <mailto:name%2B%27 at bshp.edu>'</code>
>>                      </script>
>>                   </expression>
>>                   <target>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>emailAddress</c:path>
>>                   </target>
>>                </mapping>
>>             </objectTemplate>
>>
>>             The CSV entry:
>>             employeeID,firstname,lastname,otherMailbox,program,organization
>>             "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>
>>             MidPoint User after sync:
>>             <user
>>             xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>                   oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>                   version="1">
>>                <name>anpapecok4</name>
>>             . . .
>>                <iteration>3</iteration>
>>                <iterationToken>4</iterationToken>
>>                <givenName>Andrej</givenName>
>>                <familyName>Papecok</familyName>
>>             *   <emailAddress>anpapecok4 at bshp.edu
>>             <mailto:anpapecok4 at bshp.edu></emailAddress>*
>>                <employeeNumber>papecok4</employeeNumber>
>>             . . .
>>             </user>
>>
>>             This is midPoint git-v3.0.1devel-704-g0937a70
>>
>>             Can you see any difference with your config...?
>>
>>             Regards,
>>             Ivan
>>
>>
>>             On 12/10/2014 05:13 PM, Jason Everling wrote:
>>>             So I disabled or removed that template from the resource
>>>             reactions, I set it as the default template is sysconfig.
>>>
>>>             It still does it,    <emailAddress>null at domain.com
>>>             <mailto:null at domain.com></emailAddress> seems to be
>>>             affected,
>>>
>>>             Wierd though, I turned on debugging,
>>>
>>>             It shows the attribute being created correctly, you can
>>>             see from the log but in the gui and in the user xml it
>>>             is null at domain.com <mailto:null at domain.com>
>>>
>>>             ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>>               user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>>                   extension: 
>>>                       otherMailbox: [ hhernandez at local.org
>>>             <mailto:hhernandez at local.org> ]
>>>                       eduPersonAffiliation: [ student ]
>>>                   givenName: Herman
>>>                   familyName: Hernandes
>>>                   costCenter: PN
>>>                   employeeNumber: HE5019982
>>>                   credentials: 
>>>                       password: 
>>>                           value:
>>>             ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>>>             keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>>>             cipherData=CipherDataType(cipherValue=[32 bytes])))
>>>                   activation: 
>>>                       administrativeStatus: ENABLED
>>>                       effectiveStatus: ENABLED
>>>                       enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>>                   emailAddress: hehernandes at domain.com
>>>             <mailto:hehernandes at domain.com>
>>>                   name: hehernandes
>>>                   employeeType: [ A2S ]
>>>                   locale: US
>>>                   organization: [ OU=DPN,OU=SHP
>>>             Students,DC=TEST,DC=LOCAL ]
>>>                   locality: San Antonio
>>>                   fullName: Herman Hernandes
>>>                   iteration: 0
>>>
>>>             On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris
>>>             <ivan.noris at evolveum.com
>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>                 Jason,
>>>
>>>                 I believe I have seen this couple of weeks ago when
>>>                 debugging the iterator problem... seems that I've
>>>                 forgotten about this.
>>>
>>>                 But as far I can remember, it has worked when the
>>>                 mapping was in global system template instead of the
>>>                 resource-referenced.
>>>
>>>                 If you can temporarily disable using of the template
>>>                 in resource and set the same template in System
>>>                 Configuration for UserType objects, can you please
>>>                 test the behaviour?
>>>
>>>                 Anyway it seems to be a bug, so after you could
>>>                 confirm the behaviour, I'd create a new issue.
>>>
>>>                 Thanks,
>>>                 I.
>>>
>>>
>>>                 On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>>                 Since I upgraded to 3.1 and I am not sure if this
>>>>                 is related to the other CSV Resource issue.
>>>>
>>>>                 Here is the mapping for the template, it worked
>>>>                 fine in 3.0.1 so I do not know if anything changed,
>>>>                 the email address is built using name +
>>>>                 '@domain.com <http://domain.com>' but when the user
>>>>                 is created I get null at domain.com
>>>>                 <mailto:null at domain.com>, like it is not picking up
>>>>                 the username from the first mapping
>>>>
>>>>                     <mapping>
>>>>                         <name>Generate Username for CSV</name>
>>>>                         <source>
>>>>                             <name>tmpGivenName</name>
>>>>                             <path>givenName</path>
>>>>                         </source>
>>>>                         <source>
>>>>                             <name>tmpFamilyName</name>
>>>>                             <path>familyName</path>
>>>>                         </source>
>>>>                         <!-- Will generate username in the
>>>>                 filastname format with iterator,
>>>>                               filastname
>>>>                               filastname2
>>>>                         -->
>>>>                         <expression>
>>>>                             <script>
>>>>                                 <code>
>>>>                                     tmpGivenNameInitial =
>>>>                 basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>>                                    
>>>>                 (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>>                                     if (iteration == 0) {
>>>>                                    
>>>>                 basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>                 tmpFamilyName))
>>>>                                     }
>>>>                                     else {
>>>>                                    
>>>>                 basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>                 tmpFamilyName)) + iterationToken
>>>>                                     }
>>>>                                 </code>
>>>>                             </script>
>>>>                         </expression>
>>>>                         <target>
>>>>                             <path>name</path>
>>>>                         </target>
>>>>                     </mapping>
>>>>
>>>>                     <iteration>
>>>>                         <maxIterations>25</maxIterations>
>>>>                         <tokenExpression>
>>>>                             <script>
>>>>                                 <code>
>>>>                                     if (iteration == 0) {
>>>>                                     return "";
>>>>                                     } else {
>>>>                                     return "" + (iteration+1)
>>>>                                     }
>>>>                                 </code>
>>>>                             </script>
>>>>                         </tokenExpression>
>>>>                     </iteration>
>>>>
>>>>                     <mapping>
>>>>                         <source>
>>>>                             <path>$user/name</path>
>>>>                         </source>
>>>>                         <expression>
>>>>                             <script>
>>>>                                
>>>>                 <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>>>>                                 <code>name + '@domain.com
>>>>                 <http://domain.com>'</code>
>>>>                             </script>
>>>>                         </expression>
>>>>                         <target>
>>>>                             <path>emailAddress</path>
>>>>                         </target>
>>>>                     </mapping>
>>>>
>>>>
>>>>
>>>>
>>>>                 CONFIDENTIALITY NOTICE:
>>>>                 This e-mail together with any attachments is
>>>>                 proprietary and confidential; intended for only the
>>>>                 recipient(s) named above and may contain
>>>>                 information that is privileged. You should not
>>>>                 retain, copy or use this e-mail or any attachments
>>>>                 for any purpose, or disclose all or any part of the
>>>>                 contents to any person. Any views or opinions
>>>>                 expressed in this e-mail are those of the author
>>>>                 and do not represent those of the Baptist School of
>>>>                 Health Professions. If you have received this
>>>>                 e-mail in error, or are not the named recipient(s),
>>>>                 you are hereby notified that any review,
>>>>                 dissemination, distribution or copying of this
>>>>                 communication is prohibited by the sender and to do
>>>>                 so might constitute a violation of the Electronic
>>>>                 Communications Privacy Act, 18 U.S.C. section
>>>>                 2510-2521. Please immediately notify the sender and
>>>>                 delete this e-mail and any attachments from your
>>>>                 computer.
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>                 -- 
>>>                   Ing. Ivan Noris
>>>                   Senior Identity Management Engineer
>>>                   evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>                   _____________________________________________
>>>                   "Semper Id(e)M Vix."
>>>
>>>
>>>                 _______________________________________________
>>>                 midPoint mailing list
>>>                 midPoint at lists.evolveum.com
>>>                 <mailto:midPoint at lists.evolveum.com>
>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>             CONFIDENTIALITY NOTICE:
>>>             This e-mail together with any attachments is proprietary
>>>             and confidential; intended for only the recipient(s)
>>>             named above and may contain information that is
>>>             privileged. You should not retain, copy or use this
>>>             e-mail or any attachments for any purpose, or disclose
>>>             all or any part of the contents to any person. Any views
>>>             or opinions expressed in this e-mail are those of the
>>>             author and do not represent those of the Baptist School
>>>             of Health Professions. If you have received this e-mail
>>>             in error, or are not the named recipient(s), you are
>>>             hereby notified that any review, dissemination,
>>>             distribution or copying of this communication is
>>>             prohibited by the sender and to do so might constitute a
>>>             violation of the Electronic Communications Privacy Act,
>>>             18 U.S.C. section 2510-2521. Please immediately notify
>>>             the sender and delete this e-mail and any attachments
>>>             from your computer.
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>             -- 
>>               Ing. Ivan Noris
>>               Senior Identity Management Engineer
>>               evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>               _____________________________________________
>>               "Semper Id(e)M Vix."
>>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>         CONFIDENTIALITY NOTICE:
>>         This e-mail together with any attachments is proprietary and
>>         confidential; intended for only the recipient(s) named above
>>         and may contain information that is privileged. You should
>>         not retain, copy or use this e-mail or any attachments for
>>         any purpose, or disclose all or any part of the contents to
>>         any person. Any views or opinions expressed in this e-mail
>>         are those of the author and do not represent those of the
>>         Baptist School of Health Professions. If you have received
>>         this e-mail in error, or are not the named recipient(s), you
>>         are hereby notified that any review, dissemination,
>>         distribution or copying of this communication is prohibited
>>         by the sender and to do so might constitute a violation of
>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>         2510-2521. Please immediately notify the sender and delete
>>         this e-mail and any attachments from your computer.
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>         -- 
>           Ing. Ivan Noris
>           Senior Identity Management Engineer
>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>           _____________________________________________
>           "Semper Id(e)M Vix."
>
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/db377df2/attachment.htm>

From jeverling at bshp.edu  Wed Dec 10 22:35:03 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 10 Dec 2014 15:35:03 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <5488B9E6.1000901@evolveum.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
 <5488A080.90404@evolveum.com>
 <CAFkZXY66mmsHvMidXfEBbgqZhzC7NoSLC4cXYuWhRUuPdWO6sA@mail.gmail.com>
 <CAFkZXY5wWJA3uWW6GjMOZM8fFN4EBssS5MZ4fr-tsGssf+c3ow@mail.gmail.com>
 <5488B9E6.1000901@evolveum.com>
Message-ID: <CAFkZXY6sOAXq70Sm2qUOM9g6k0oKiDq7OpuENJqst4EhNO=7WA@mail.gmail.com>

I downloaded the latest, I am also going to wipe out my install and start
bringing in my resources one by one and my templates. I am going to add one
CSV user at a time while I add my objects just in case it is one of my
objects I will at least know which one,

JASON

On Wed, Dec 10, 2014 at 3:23 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> that is really strange, but I'm hoping that it's not happening after you
> upgrade. I don't have the very very latest midPoint though.
>
> Regards,
> Ivan
>
>
> On 12/10/2014 09:17 PM, Jason Everling wrote:
>
> While I am downloading, there has to be something in mine that is doing
> this, I noticed on yours also that the
>
>  <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
> type="OrgType"><!-- Posam --></parentOrgRef>
>
>  is added to the user object but it is still not added on mine when I use
> the CSV resource but does when using the GUI,
>
>  Strange...
>
>  JASON
>
> On Wed, Dec 10, 2014 at 1:40 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> I am using,
>>
>>  git-v3.0.1devel-693-g11c758b
>>
>>  I will update to the latest since I am behind what yours is at and let
>> you know
>>
>>  JASON
>>
>> On Wed, Dec 10, 2014 at 1:35 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  I have re-added the Org assignment as I was testing last week. It's
>>> still working.
>>>
>>> This is what I added at the end of the template:
>>>
>>>    <mapping>
>>>       <authoritative>true</authoritative>
>>>       <source>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >organization</c:path>
>>>       </source>
>>>       <expression>
>>>          <assignmentTargetSearch>
>>>             <targetType xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >c:OrgType</targetType>
>>>             <filter xmlns:q=
>>> "http://prism.evolveum.com/xml/ns/public/query-3"
>>> <http://prism.evolveum.com/xml/ns/public/query-3>>
>>>                <q:equal>
>>>                   <q:path>name</q:path>
>>>                   <expression>
>>>                      <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >$organization</c:path>
>>>                   </expression>
>>>                </q:equal>
>>>             </filter>
>>>          </assignmentTargetSearch>
>>>       </expression>
>>>       <target>
>>>          <c:path xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> >assignment</c:path>
>>>       </target>
>>>    </mapping>
>>>
>>> User:
>>> <user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>       oid="9be4e4c9-66fc-4fbe-83c8-286ebfb9ac6e"
>>>       version="1">
>>>    <name>anpapecok5</name>
>>>    <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
>>> type="OrgType"><!-- Posam --></parentOrgRef>
>>>    <metadata>
>>>       <createTimestamp>2014-12-10T20:30:38.743+01:00</createTimestamp>
>>>       <creatorRef oid="00000000-0000-0000-0000-000000000002"
>>> type="UserType"><!-- administrator --></creatorRef>
>>>       <createChannel>
>>> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
>>> </createChannel>
>>>    </metadata>
>>>    <linkRef oid="abb8d8cc-507b-4210-aac7-3777c37b4b5b"
>>> type="ShadowType"><!-- papecok5 --></linkRef>
>>>    <assignment id="1">
>>>       <targetRef xmlns:c=
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>                  oid="00000000-8888-6666-0000-100000000030"
>>>                  type="c:OrgType"><!-- MyOrg --></targetRef>
>>>    </assignment>
>>>    <activation>
>>>       <effectiveStatus>disabled</effectiveStatus>
>>>       <disableTimestamp>2014-12-10T20:30:38.086+01:00</disableTimestamp>
>>>    </activation>
>>>    <iteration>4</iteration>
>>>    <iterationToken>5</iterationToken>
>>>    <givenName>Andrej</givenName>
>>>    <familyName>Papecok</familyName>
>>>     <emailAddress>anpapecok5 at bshp.edu</emailAddress>
>>>    <employeeNumber>papecok5</employeeNumber>
>>>    <costCenter>xxx</costCenter>
>>>    <organization>MyOrg</organization>
>>> . . .
>>> </user>
>>>
>>> So unless there is any trick hidden in the other mappings, maybe the
>>> issue was resolved since your snapshot... Can you post the exact midPoint
>>> version?
>>>
>>> I.
>>>
>>>
>>>
>>> On 12/10/2014 08:25 PM, Jason Everling wrote:
>>>
>>> No not really, looks to be the same,
>>>
>>>  I attached the template,
>>>
>>>  The only thing else besides creating the username and email address is
>>> that it assigns the correct Org based on the costCenter attribute which is
>>> mapped to program in my CSV and also assigns a role,
>>>
>>>
>>>
>>> On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> this is interesting: it seems to work:
>>>>
>>>> Right now I have resource with object template reference in unmatched
>>>> action:
>>>> . . .
>>>>       <reaction>
>>>>             <situation>unmatched</situation>
>>>>             <objectTemplateRef
>>>> oid="10000000-0000-0000-1111-000000000203"/>
>>>>             <action ref=
>>>> "http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>>>> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>>>          </reaction>
>>>> . . .
>>>>
>>>> The template:
>>>> <objectTemplate xmlns=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>                 oid="10000000-0000-0000-1111-000000000203"
>>>>                 version="2">
>>>>    <name>Default User Template (VIX)</name>
>>>>    <iteration>
>>>>       <maxIterations>999</maxIterations>
>>>>       <tokenExpression>
>>>>          <script>
>>>>             <code>
>>>>                             if (iteration == 0) {
>>>>                             return "";
>>>>                             } else {
>>>>                             return "" + (iteration+1)
>>>>                             }
>>>>                         </code>
>>>>          </script>
>>>>       </tokenExpression>
>>>>    </iteration>
>>>>    <mapping>
>>>>        <name>Generate Username</name>
>>>>       <source>
>>>>          <name>tmpGivenName</name>
>>>>          <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >givenName</c:path>
>>>>       </source>
>>>>       <source>
>>>>          <name>tmpFamilyName</name>
>>>>           <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >familyName</c:path>
>>>>       </source>
>>>>       <expression>
>>>>          <script>
>>>>             <code>
>>>>                     tmpGivenNameInitial =
>>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>> (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>>                     if (iteration == 0) {
>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>> tmpFamilyName))
>>>>                     }
>>>>                     else {
>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>> tmpFamilyName)) + iterationToken
>>>>                     }
>>>>                 </code>
>>>>          </script>
>>>>       </expression>
>>>>       <target>
>>>>           <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >name</c:path>
>>>>       </target>
>>>>    </mapping>
>>>>    <mapping>
>>>>       <source>
>>>>          <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >$user/name</c:path>
>>>>       </source>
>>>>       <source>
>>>>          <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >$user/emailAddress</c:path>
>>>>       </source>
>>>>       <expression>
>>>>          <script>
>>>>             <language>
>>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>>> </language>
>>>>              <code>name+'@bshp.edu'</code>
>>>>          </script>
>>>>       </expression>
>>>>       <target>
>>>>          <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >emailAddress</c:path>
>>>>       </target>
>>>>    </mapping>
>>>> </objectTemplate>
>>>>
>>>> The CSV entry:
>>>> employeeID,firstname,lastname,otherMailbox,program,organization
>>>> "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>>>
>>>> MidPoint User after sync:
>>>> <user xmlns=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>>>       version="1">
>>>>    <name>anpapecok4</name>
>>>> . . .
>>>>    <iteration>3</iteration>
>>>>    <iterationToken>4</iterationToken>
>>>>    <givenName>Andrej</givenName>
>>>>    <familyName>Papecok</familyName>
>>>> *   <emailAddress>anpapecok4 at bshp.edu
>>>> <anpapecok4 at bshp.edu></emailAddress>*
>>>>    <employeeNumber>papecok4</employeeNumber>
>>>> . . .
>>>> </user>
>>>>
>>>> This is midPoint git-v3.0.1devel-704-g0937a70
>>>>
>>>> Can you see any difference with your config...?
>>>>
>>>> Regards,
>>>> Ivan
>>>>
>>>>
>>>> On 12/10/2014 05:13 PM, Jason Everling wrote:
>>>>
>>>> So I disabled or removed that template from the resource reactions, I
>>>> set it as the default template is sysconfig.
>>>>
>>>>  It still does it,    <emailAddress>null at domain.com</emailAddress>
>>>> seems to be affected,
>>>>
>>>>  Wierd though, I turned on debugging,
>>>>
>>>>  It shows the attribute being created correctly, you can see from the
>>>> log but in the gui and in the user xml it is null at domain.com
>>>>
>>>>
>>>> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>>>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>>>       extension:
>>>>           otherMailbox: [ hhernandez at local.org ]
>>>>           eduPersonAffiliation: [ student ]
>>>>       givenName: Herman
>>>>       familyName: Hernandes
>>>>       costCenter: PN
>>>>       employeeNumber: HE5019982
>>>>       credentials:
>>>>           password:
>>>>               value:
>>>> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
>>>> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>>>> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>>>> cipherData=CipherDataType(cipherValue=[32 bytes])))
>>>>       activation:
>>>>           administrativeStatus: ENABLED
>>>>           effectiveStatus: ENABLED
>>>>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>>>       emailAddress: hehernandes at domain.com
>>>>       name: hehernandes
>>>>       employeeType: [ A2S ]
>>>>       locale: US
>>>>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>>>>       locality: San Antonio
>>>>       fullName: Herman Hernandes
>>>>       iteration: 0
>>>>
>>>> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Jason,
>>>>>
>>>>> I believe I have seen this couple of weeks ago when debugging the
>>>>> iterator problem... seems that I've forgotten about this.
>>>>>
>>>>> But as far I can remember, it has worked when the mapping was in
>>>>> global system template instead of the resource-referenced.
>>>>>
>>>>> If you can temporarily disable using of the template in resource and
>>>>> set the same template in System Configuration for UserType objects, can you
>>>>> please test the behaviour?
>>>>>
>>>>> Anyway it seems to be a bug, so after you could confirm the behaviour,
>>>>> I'd create a new issue.
>>>>>
>>>>> Thanks,
>>>>> I.
>>>>>
>>>>>
>>>>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>>>
>>>>>  Since I upgraded to 3.1 and I am not sure if this is related to the
>>>>> other CSV Resource issue.
>>>>>
>>>>>  Here is the mapping for the template, it worked fine in 3.0.1 so I
>>>>> do not know if anything changed, the email address is built using name + '@
>>>>> domain.com' but when the user is created I get null at domain.com, like
>>>>> it is not picking up the username from the first mapping
>>>>>
>>>>>      <mapping>
>>>>>         <name>Generate Username for CSV</name>
>>>>>         <source>
>>>>>             <name>tmpGivenName</name>
>>>>>             <path>givenName</path>
>>>>>         </source>
>>>>>         <source>
>>>>>             <name>tmpFamilyName</name>
>>>>>             <path>familyName</path>
>>>>>         </source>
>>>>>         <!-- Will generate username in the filastname format with
>>>>> iterator,
>>>>>               filastname
>>>>>               filastname2
>>>>>         -->
>>>>>         <expression>
>>>>>             <script>
>>>>>                 <code>
>>>>>                     tmpGivenNameInitial =
>>>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>>>                     (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>>>                     if (iteration == 0) {
>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>> tmpFamilyName))
>>>>>                     }
>>>>>                     else {
>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>> tmpFamilyName)) + iterationToken
>>>>>                     }
>>>>>                 </code>
>>>>>             </script>
>>>>>         </expression>
>>>>>         <target>
>>>>>             <path>name</path>
>>>>>         </target>
>>>>>     </mapping>
>>>>>
>>>>>      <iteration>
>>>>>         <maxIterations>25</maxIterations>
>>>>>         <tokenExpression>
>>>>>             <script>
>>>>>                 <code>
>>>>>                     if (iteration == 0) {
>>>>>                     return "";
>>>>>                     } else {
>>>>>                     return "" + (iteration+1)
>>>>>                     }
>>>>>                 </code>
>>>>>             </script>
>>>>>         </tokenExpression>
>>>>>     </iteration>
>>>>>
>>>>>      <mapping>
>>>>>         <source>
>>>>>             <path>$user/name</path>
>>>>>         </source>
>>>>>         <expression>
>>>>>             <script>
>>>>>                 <language>
>>>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>>>> </language>
>>>>>                 <code>name + '@domain.com'</code>
>>>>>             </script>
>>>>>         </expression>
>>>>>         <target>
>>>>>             <path>emailAddress</path>
>>>>>         </target>
>>>>>     </mapping>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com     evolveum.com/blog/
>>>>>   _____________________________________________
>>>>>   "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141210/7c2f20e2/attachment.htm>

From ivan.noris at evolveum.com  Thu Dec 11 08:43:57 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 11 Dec 2014 08:43:57 +0100
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <CAFkZXY6sOAXq70Sm2qUOM9g6k0oKiDq7OpuENJqst4EhNO=7WA@mail.gmail.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
 <5488A080.90404@evolveum.com>
 <CAFkZXY66mmsHvMidXfEBbgqZhzC7NoSLC4cXYuWhRUuPdWO6sA@mail.gmail.com>
 <CAFkZXY5wWJA3uWW6GjMOZM8fFN4EBssS5MZ4fr-tsGssf+c3ow@mail.gmail.com>
 <5488B9E6.1000901@evolveum.com>
 <CAFkZXY6sOAXq70Sm2qUOM9g6k0oKiDq7OpuENJqst4EhNO=7WA@mail.gmail.com>
Message-ID: <54894B3D.5090403@evolveum.com>

This seems reasonable. Good luck.

Regards,
Ivan

On 12/10/2014 10:35 PM, Jason Everling wrote:
> I downloaded the latest, I am also going to wipe out my install and
> start bringing in my resources one by one and my templates. I am going
> to add one CSV user at a time while I add my objects just in case it
> is one of my objects I will at least know which one,
>
> JASON
>
> On Wed, Dec 10, 2014 at 3:23 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Jason,
>
>     that is really strange, but I'm hoping that it's not happening
>     after you upgrade. I don't have the very very latest midPoint though.
>
>     Regards,
>     Ivan
>
>
>     On 12/10/2014 09:17 PM, Jason Everling wrote:
>>     While I am downloading, there has to be something in mine that is
>>     doing this, I noticed on yours also that the 
>>
>>     <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
>>     type="OrgType"><!-- Posam --></parentOrgRef> 
>>
>>     is added to the user object but it is still not added on mine
>>     when I use the CSV resource but does when using the GUI,
>>
>>     Strange...
>>
>>     JASON
>>
>>     On Wed, Dec 10, 2014 at 1:40 PM, Jason Everling
>>     <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>
>>         I am using,
>>
>>         git-v3.0.1devel-693-g11c758b
>>
>>         I will update to the latest since I am behind what yours is
>>         at and let you know
>>
>>         JASON
>>
>>         On Wed, Dec 10, 2014 at 1:35 PM, Ivan Noris
>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>             I have re-added the Org assignment as I was testing last
>>             week. It's still working.
>>
>>             This is what I added at the end of the template:
>>
>>                <mapping>
>>                   <authoritative>true</authoritative>
>>                   <source>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>organization</c:path>
>>                   </source>
>>                   <expression>
>>                      <assignmentTargetSearch>
>>                         <targetType
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>c:OrgType</targetType>
>>                         <filter
>>             xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>             <http://prism.evolveum.com/xml/ns/public/query-3>>
>>                            <q:equal>
>>                               <q:path>name</q:path>
>>                               <expression>
>>                                  <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$organization</c:path>
>>                               </expression>
>>                            </q:equal>
>>                         </filter>
>>                      </assignmentTargetSearch>
>>                   </expression>
>>                   <target>
>>                      <c:path
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>assignment</c:path>
>>                   </target>
>>                </mapping>
>>
>>             User:
>>             <user
>>             xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>                   oid="9be4e4c9-66fc-4fbe-83c8-286ebfb9ac6e"
>>                   version="1">
>>                <name>anpapecok5</name>
>>                <parentOrgRef
>>             oid="00000000-8888-6666-0000-100000000030"
>>             type="OrgType"><!-- Posam --></parentOrgRef>
>>                <metadata>
>>                  
>>             <createTimestamp>2014-12-10T20:30:38.743+01:00</createTimestamp>
>>                   <creatorRef
>>             oid="00000000-0000-0000-0000-000000000002"
>>             type="UserType"><!-- administrator --></creatorRef>
>>                  
>>             <createChannel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync</createChannel>
>>                </metadata>
>>                <linkRef oid="abb8d8cc-507b-4210-aac7-3777c37b4b5b"
>>             type="ShadowType"><!-- papecok5 --></linkRef>
>>                <assignment id="1">
>>                   <targetRef
>>             xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>             <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>                              oid="00000000-8888-6666-0000-100000000030"
>>                              type="c:OrgType"><!-- MyOrg --></targetRef>
>>                </assignment>
>>                <activation>
>>                   <effectiveStatus>disabled</effectiveStatus>
>>                  
>>             <disableTimestamp>2014-12-10T20:30:38.086+01:00</disableTimestamp>
>>                </activation>
>>                <iteration>4</iteration>
>>                <iterationToken>5</iterationToken>
>>                <givenName>Andrej</givenName>
>>                <familyName>Papecok</familyName>
>>                <emailAddress>anpapecok5 at bshp.edu
>>             <mailto:anpapecok5 at bshp.edu></emailAddress>
>>                <employeeNumber>papecok5</employeeNumber>
>>                <costCenter>xxx</costCenter>
>>                <organization>MyOrg</organization>
>>             . . .
>>             </user>
>>
>>             So unless there is any trick hidden in the other
>>             mappings, maybe the issue was resolved since your
>>             snapshot... Can you post the exact midPoint version?
>>
>>             I.
>>
>>
>>
>>             On 12/10/2014 08:25 PM, Jason Everling wrote:
>>>             No not really, looks to be the same,
>>>
>>>             I attached the template,
>>>
>>>             The only thing else besides creating the username and
>>>             email address is that it assigns the correct Org based
>>>             on the costCenter attribute which is mapped to program
>>>             in my CSV and also assigns a role,
>>>
>>>
>>>
>>>             On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris
>>>             <ivan.noris at evolveum.com
>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>                 Hi Jason,
>>>
>>>                 this is interesting: it seems to work:
>>>
>>>                 Right now I have resource with object template
>>>                 reference in unmatched action:
>>>                 . . .
>>>                       <reaction>
>>>                             <situation>unmatched</situation>
>>>                             <objectTemplateRef
>>>                 oid="10000000-0000-0000-1111-000000000203"/>
>>>                             <action
>>>                 ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>>                          </reaction>
>>>                 . . .
>>>
>>>                 The template:
>>>                 <objectTemplate
>>>                 xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>                                
>>>                 oid="10000000-0000-0000-1111-000000000203"
>>>                                 version="2">
>>>                    <name>Default User Template (VIX)</name>
>>>                    <iteration>
>>>                       <maxIterations>999</maxIterations>
>>>                       <tokenExpression>
>>>                          <script>
>>>                             <code>
>>>                                             if (iteration == 0) {
>>>                                             return "";
>>>                                             } else {
>>>                                             return "" + (iteration+1)
>>>                                             }
>>>                                         </code>
>>>                          </script>
>>>                       </tokenExpression>
>>>                    </iteration>
>>>                    <mapping>
>>>                       <name>Generate Username</name>
>>>                       <source>
>>>                          <name>tmpGivenName</name>
>>>                          <c:path
>>>                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>givenName</c:path>
>>>                       </source>
>>>                       <source>
>>>                          <name>tmpFamilyName</name>
>>>                          <c:path
>>>                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>familyName</c:path>
>>>                       </source>
>>>                       <expression>
>>>                          <script>
>>>                             <code>
>>>                                     tmpGivenNameInitial =
>>>                 basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>                 (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>                                     if (iteration == 0) {
>>>                                    
>>>                 basic.norm(basic.stringify(tmpGivenNameInitial +
>>>                 tmpFamilyName))
>>>                                     }
>>>                                     else {
>>>                                    
>>>                 basic.norm(basic.stringify(tmpGivenNameInitial +
>>>                 tmpFamilyName)) + iterationToken
>>>                                     }
>>>                                 </code>
>>>                          </script>
>>>                       </expression>
>>>                       <target>
>>>                          <c:path
>>>                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>name</c:path>
>>>                       </target>
>>>                    </mapping>
>>>                    <mapping>
>>>                       <source>
>>>                          <c:path
>>>                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$user/name</c:path>
>>>                       </source>
>>>                       <source>
>>>                          <c:path
>>>                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>$user/emailAddress</c:path>
>>>                       </source>
>>>                       <expression>
>>>                          <script>
>>>                            
>>>                 <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>>>                             <code>name+'@bshp.edu
>>>                 <mailto:name%2B%27 at bshp.edu>'</code>
>>>                          </script>
>>>                       </expression>
>>>                       <target>
>>>                          <c:path
>>>                 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>emailAddress</c:path>
>>>                       </target>
>>>                    </mapping>
>>>                 </objectTemplate>
>>>
>>>                 The CSV entry:
>>>                 employeeID,firstname,lastname,otherMailbox,program,organization
>>>                 "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>>
>>>                 MidPoint User after sync:
>>>                 <user
>>>                 xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>                 <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>                       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>>                       version="1">
>>>                    <name>anpapecok4</name>
>>>                 . . .
>>>                    <iteration>3</iteration>
>>>                    <iterationToken>4</iterationToken>
>>>                    <givenName>Andrej</givenName>
>>>                    <familyName>Papecok</familyName>
>>>                 *   <emailAddress>anpapecok4 at bshp.edu
>>>                 <mailto:anpapecok4 at bshp.edu></emailAddress>*
>>>                    <employeeNumber>papecok4</employeeNumber>
>>>                 . . .
>>>                 </user>
>>>
>>>                 This is midPoint git-v3.0.1devel-704-g0937a70
>>>
>>>                 Can you see any difference with your config...?
>>>
>>>                 Regards,
>>>                 Ivan
>>>
>>>
>>>                 On 12/10/2014 05:13 PM, Jason Everling wrote:
>>>>                 So I disabled or removed that template from the
>>>>                 resource reactions, I set it as the default
>>>>                 template is sysconfig.
>>>>
>>>>                 It still does it,    <emailAddress>null at domain.com
>>>>                 <mailto:null at domain.com></emailAddress> seems to be
>>>>                 affected,
>>>>
>>>>                 Wierd though, I turned on debugging,
>>>>
>>>>                 It shows the attribute being created correctly, you
>>>>                 can see from the log but in the gui and in the user
>>>>                 xml it is null at domain.com <mailto:null at domain.com>
>>>>
>>>>                 ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>>>                   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0,
>>>>                 UserType)
>>>>                       extension: 
>>>>                           otherMailbox: [ hhernandez at local.org
>>>>                 <mailto:hhernandez at local.org> ]
>>>>                           eduPersonAffiliation: [ student ]
>>>>                       givenName: Herman
>>>>                       familyName: Hernandes
>>>>                       costCenter: PN
>>>>                       employeeNumber: HE5019982
>>>>                       credentials: 
>>>>                           password: 
>>>>                               value:
>>>>                 ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>>>>                 keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>>>>                 cipherData=CipherDataType(cipherValue=[32 bytes])))
>>>>                       activation: 
>>>>                           administrativeStatus: ENABLED
>>>>                           effectiveStatus: ENABLED
>>>>                           enableTimestamp:
>>>>                 2014-12-10T10:07:21.502-06:00
>>>>                       emailAddress: hehernandes at domain.com
>>>>                 <mailto:hehernandes at domain.com>
>>>>                       name: hehernandes
>>>>                       employeeType: [ A2S ]
>>>>                       locale: US
>>>>                       organization: [ OU=DPN,OU=SHP
>>>>                 Students,DC=TEST,DC=LOCAL ]
>>>>                       locality: San Antonio
>>>>                       fullName: Herman Hernandes
>>>>                       iteration: 0
>>>>
>>>>                 On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris
>>>>                 <ivan.noris at evolveum.com
>>>>                 <mailto:ivan.noris at evolveum.com>> wrote:
>>>>
>>>>                     Jason,
>>>>
>>>>                     I believe I have seen this couple of weeks ago
>>>>                     when debugging the iterator problem... seems
>>>>                     that I've forgotten about this.
>>>>
>>>>                     But as far I can remember, it has worked when
>>>>                     the mapping was in global system template
>>>>                     instead of the resource-referenced.
>>>>
>>>>                     If you can temporarily disable using of the
>>>>                     template in resource and set the same template
>>>>                     in System Configuration for UserType objects,
>>>>                     can you please test the behaviour?
>>>>
>>>>                     Anyway it seems to be a bug, so after you could
>>>>                     confirm the behaviour, I'd create a new issue.
>>>>
>>>>                     Thanks,
>>>>                     I.
>>>>
>>>>
>>>>                     On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>>>                     Since I upgraded to 3.1 and I am not sure if
>>>>>                     this is related to the other CSV Resource issue.
>>>>>
>>>>>                     Here is the mapping for the template, it
>>>>>                     worked fine in 3.0.1 so I do not know if
>>>>>                     anything changed, the email address is built
>>>>>                     using name + '@domain.com <http://domain.com>'
>>>>>                     but when the user is created I get
>>>>>                     null at domain.com <mailto:null at domain.com>, like
>>>>>                     it is not picking up the username from the
>>>>>                     first mapping
>>>>>
>>>>>                         <mapping>
>>>>>                             <name>Generate Username for CSV</name>
>>>>>                             <source>
>>>>>                                 <name>tmpGivenName</name>
>>>>>                                 <path>givenName</path>
>>>>>                             </source>
>>>>>                             <source>
>>>>>                                 <name>tmpFamilyName</name>
>>>>>                                 <path>familyName</path>
>>>>>                             </source>
>>>>>                             <!-- Will generate username in the
>>>>>                     filastname format with iterator,
>>>>>                                   filastname
>>>>>                                   filastname2
>>>>>                             -->
>>>>>                             <expression>
>>>>>                                 <script>
>>>>>                                     <code>
>>>>>                                         tmpGivenNameInitial =
>>>>>                     basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>>>                                        
>>>>>                     (basic.stringify(tmpGivenName)).substring(0,2)
>>>>>                     : ''
>>>>>                                         if (iteration == 0) {
>>>>>                                        
>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial
>>>>>                     + tmpFamilyName))
>>>>>                                         }
>>>>>                                         else {
>>>>>                                        
>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial
>>>>>                     + tmpFamilyName)) + iterationToken
>>>>>                                         }
>>>>>                                     </code>
>>>>>                                 </script>
>>>>>                             </expression>
>>>>>                             <target>
>>>>>                                 <path>name</path>
>>>>>                             </target>
>>>>>                         </mapping>
>>>>>
>>>>>                         <iteration>
>>>>>                             <maxIterations>25</maxIterations>
>>>>>                             <tokenExpression>
>>>>>                                 <script>
>>>>>                                     <code>
>>>>>                                         if (iteration == 0) {
>>>>>                                         return "";
>>>>>                                         } else {
>>>>>                                         return "" + (iteration+1)
>>>>>                                         }
>>>>>                                     </code>
>>>>>                                 </script>
>>>>>                             </tokenExpression>
>>>>>                         </iteration>
>>>>>
>>>>>                         <mapping>
>>>>>                             <source>
>>>>>                                 <path>$user/name</path>
>>>>>                             </source>
>>>>>                             <expression>
>>>>>                                 <script>
>>>>>                                    
>>>>>                     <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
>>>>>                                     <code>name + '@domain.com
>>>>>                     <http://domain.com>'</code>
>>>>>                                 </script>
>>>>>                             </expression>
>>>>>                             <target>
>>>>>                                 <path>emailAddress</path>
>>>>>                             </target>
>>>>>                         </mapping>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                     CONFIDENTIALITY NOTICE:
>>>>>                     This e-mail together with any attachments is
>>>>>                     proprietary and confidential; intended for
>>>>>                     only the recipient(s) named above and may
>>>>>                     contain information that is privileged. You
>>>>>                     should not retain, copy or use this e-mail or
>>>>>                     any attachments for any purpose, or disclose
>>>>>                     all or any part of the contents to any person.
>>>>>                     Any views or opinions expressed in this e-mail
>>>>>                     are those of the author and do not represent
>>>>>                     those of the Baptist School of Health
>>>>>                     Professions. If you have received this e-mail
>>>>>                     in error, or are not the named recipient(s),
>>>>>                     you are hereby notified that any review,
>>>>>                     dissemination, distribution or copying of this
>>>>>                     communication is prohibited by the sender and
>>>>>                     to do so might constitute a violation of the
>>>>>                     Electronic Communications Privacy Act, 18
>>>>>                     U.S.C. section 2510-2521. Please immediately
>>>>>                     notify the sender and delete this e-mail and
>>>>>                     any attachments from your computer.
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     midPoint mailing list
>>>>>                     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>                     -- 
>>>>                       Ing. Ivan Noris
>>>>                       Senior Identity Management Engineer
>>>>                       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>                       _____________________________________________
>>>>                       "Semper Id(e)M Vix."
>>>>
>>>>
>>>>                     _______________________________________________
>>>>                     midPoint mailing list
>>>>                     midPoint at lists.evolveum.com
>>>>                     <mailto:midPoint at lists.evolveum.com>
>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>                 CONFIDENTIALITY NOTICE:
>>>>                 This e-mail together with any attachments is
>>>>                 proprietary and confidential; intended for only the
>>>>                 recipient(s) named above and may contain
>>>>                 information that is privileged. You should not
>>>>                 retain, copy or use this e-mail or any attachments
>>>>                 for any purpose, or disclose all or any part of the
>>>>                 contents to any person. Any views or opinions
>>>>                 expressed in this e-mail are those of the author
>>>>                 and do not represent those of the Baptist School of
>>>>                 Health Professions. If you have received this
>>>>                 e-mail in error, or are not the named recipient(s),
>>>>                 you are hereby notified that any review,
>>>>                 dissemination, distribution or copying of this
>>>>                 communication is prohibited by the sender and to do
>>>>                 so might constitute a violation of the Electronic
>>>>                 Communications Privacy Act, 18 U.S.C. section
>>>>                 2510-2521. Please immediately notify the sender and
>>>>                 delete this e-mail and any attachments from your
>>>>                 computer.
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>                 -- 
>>>                   Ing. Ivan Noris
>>>                   Senior Identity Management Engineer
>>>                   evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>                   _____________________________________________
>>>                   "Semper Id(e)M Vix."
>>>
>>>
>>>                 _______________________________________________
>>>                 midPoint mailing list
>>>                 midPoint at lists.evolveum.com
>>>                 <mailto:midPoint at lists.evolveum.com>
>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>             CONFIDENTIALITY NOTICE:
>>>             This e-mail together with any attachments is proprietary
>>>             and confidential; intended for only the recipient(s)
>>>             named above and may contain information that is
>>>             privileged. You should not retain, copy or use this
>>>             e-mail or any attachments for any purpose, or disclose
>>>             all or any part of the contents to any person. Any views
>>>             or opinions expressed in this e-mail are those of the
>>>             author and do not represent those of the Baptist School
>>>             of Health Professions. If you have received this e-mail
>>>             in error, or are not the named recipient(s), you are
>>>             hereby notified that any review, dissemination,
>>>             distribution or copying of this communication is
>>>             prohibited by the sender and to do so might constitute a
>>>             violation of the Electronic Communications Privacy Act,
>>>             18 U.S.C. section 2510-2521. Please immediately notify
>>>             the sender and delete this e-mail and any attachments
>>>             from your computer.
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>             -- 
>>               Ing. Ivan Noris
>>               Senior Identity Management Engineer
>>               evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>               _____________________________________________
>>               "Semper Id(e)M Vix."
>>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141211/16d75c19/attachment.htm>

From anand.kothekar at confluxsys.com  Fri Dec 12 05:57:08 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Fri, 12 Dec 2014 10:27:08 +0530
Subject: [midPoint] Midpoint Role UI Issue
Message-ID: <CAHUT-CRKh51cOW88gihX_aPf5_BXUw2S1CrwtOwgrJ+gLF=sGQ@mail.gmail.com>

Hi

I have recently started using midpoint for evaluation. I have a midpoint
environment in my system configured with an ldap resource.

I was trying to play around with roles and inducement, I observed one
behaviour which i think is an issue with midpoint UI.

Problem:

- When i create a role and add an ldap resource inducement with some ldap
groups, the role is properly created and role member gets the appropriate
account and group membership.
- Now if i modify the role like i change the role description and save it,
the induced groups are removed from role. role xml gets modified.
- Another observation is like if a user is assigned multiple roles (roles
in hierarchy), and we remove the above updated role from user then the
group removed from role is not removed from user.


I have attached the role xml's for reference, please look into this and let
me know if it is the case i have mentioned or i am making any mistake.


Regards
Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141212/06f5aa3d/attachment.htm>
-------------- next part --------------
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="9abc45b0-2d13-47b2-b97f-fc4538fc90d7"
      version="1">
   <name>Test Role1</name>
   <description>test role updated</description>
   <metadata>
      <createTimestamp>2014-12-12T10:22:25.654-05:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002" type="UserType"/>
      <createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</createChannel>
      <modifyTimestamp>2014-12-12T10:24:20.868-05:00</modifyTimestamp>
      <modifierRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                   oid="00000000-0000-0000-0000-000000000002"
                   type="tns:UserType"/>
      <modifyChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</modifyChannel>
   </metadata>
   <activation>
      <effectiveStatus>disabled</effectiveStatus>
      <disableTimestamp>2014-12-12T10:22:25.561-05:00</disableTimestamp>
   </activation>
   <iteration>0</iteration>
   <iterationToken/>
   <inducement id="1">
      <construction>
         <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="ResourceType"/>
      </construction>
   </inducement>
   <requestable>false</requestable>
</role>
-------------- next part --------------
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="9abc45b0-2d13-47b2-b97f-fc4538fc90d7"
      version="0">
   <name>Test Role1</name>
   <description>test role</description>
   <metadata>
      <createTimestamp>2014-12-12T10:22:25.654-05:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002" type="UserType"/>
      <createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</createChannel>
   </metadata>
   <activation>
      <effectiveStatus>disabled</effectiveStatus>
      <disableTimestamp>2014-12-12T10:22:25.561-05:00</disableTimestamp>
   </activation>
   <iteration>0</iteration>
   <iterationToken/>
   <inducement id="1">
      <construction>
         <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="ResourceType"/>
         <attribute>
            <ref xmlns:qn554="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn554:ldapGroups</ref>
            <outbound>
               <expression>
                  <value>cn=testgroup2,ou=groups,dc=confluxsys,dc=com</value>
               </expression>
            </outbound>
         </attribute>
      </construction>
   </inducement>
   <requestable>false</requestable>
</role>

From mederly at evolveum.com  Fri Dec 12 09:33:10 2014
From: mederly at evolveum.com (Pavol Mederly)
Date: Fri, 12 Dec 2014 09:33:10 +0100
Subject: [midPoint] Midpoint Role UI Issue
In-Reply-To: <CAHUT-CRKh51cOW88gihX_aPf5_BXUw2S1CrwtOwgrJ+gLF=sGQ@mail.gmail.com>
References: <CAHUT-CRKh51cOW88gihX_aPf5_BXUw2S1CrwtOwgrJ+gLF=sGQ@mail.gmail.com>
Message-ID: <548AA846.9010000@evolveum.com>

Hello Anand,

as for the losing of inducement details, it seems that you've hit a bug 
in midPoint. I've created a jira issue 
<https://jira.evolveum.com/browse/MID-2113> for it. I'm going to have a 
look at it.

The exact behavior of midPoint when unassigning the role from a user 
depends on assignment enforcement policy that you have set in system 
configuration. I.e. whether the account on the resource should be 
deleted or not. However, in all cases, because now the role has no 
information about the group that it induced (because the information was 
lost while editing), the unassigning of the role will not cause the LDAP 
group to be unassigned.

Best regards,
Pavol

On 12. 12. 2014 5:57, Anand Kothekar wrote:
> Hi
>
> I have recently started using midpoint for evaluation. I have a 
> midpoint environment in my system configured with an ldap resource.
>
> I was trying to play around with roles and inducement, I observed one 
> behaviour which i think is an issue with midpoint UI.
>
> Problem:
>
> - When i create a role and add an ldap resource inducement with some 
> ldap groups, the role is properly created and role member gets the 
> appropriate account and group membership.
> - Now if i modify the role like i change the role description and save 
> it, the induced groups are removed from role. role xml gets modified.
> - Another observation is like if a user is assigned multiple roles 
> (roles in hierarchy), and we remove the above updated role from user 
> then the group removed from role is not removed from user.
>
>
> I have attached the role xml's for reference, please look into this 
> and let me know if it is the case i have mentioned or i am making any 
> mistake.
>
>
> Regards
> Anand
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141212/7905c567/attachment.htm>

From dharm.parakh at gmail.com  Fri Dec 12 13:23:08 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Fri, 12 Dec 2014 17:53:08 +0530
Subject: [midPoint] LDAP Connector Extension
Message-ID: <CAKvVWqyoamPKrg_Oydkt44Gzxxfx0+t40ufi-NcL9XLXG=8srA@mail.gmail.com>

Hi

I have an openldap resource in my environment and i want one auxiliary
objectclass (posixAccount) to be added when i provision a user
account(inetOrgPerson).


- Is it possible to achieve with the ldap connector bundled with midpoint?
- If yes then is there any document i can refer to do this or can you
provide high level details of how to achieve this.



Regards
Dharmendra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141212/e691d02a/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec 12 17:43:47 2014
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 12 Dec 2014 17:43:47 +0100
Subject: [midPoint] LDAP Connector Extension
In-Reply-To: <CAKvVWqyoamPKrg_Oydkt44Gzxxfx0+t40ufi-NcL9XLXG=8srA@mail.gmail.com>
References: <CAKvVWqyoamPKrg_Oydkt44Gzxxfx0+t40ufi-NcL9XLXG=8srA@mail.gmail.com>
Message-ID: <548B1B43.6040708@evolveum.com>

Hi,

regarding auxiliary object classes:

https://jira.evolveum.com/browse/MID-2121
https://jira.evolveum.com/browse/MID-2120

For "normal" object classes, samples/opendj/piracy may be helpful.

Regards,
Ivan

On 12/12/2014 01:23 PM, dharmendra parakh wrote:
> Hi
>
> I have an openldap resource in my environment and i want one auxiliary
> objectclass (posixAccount) to be added when i provision a user
> account(inetOrgPerson). 
>
>
> - Is it possible to achieve with the ldap connector bundled with midpoint?
> - If yes then is there any document i can refer to do this or can you
> provide high level details of how to achieve this.
>
>
>
> Regards
> Dharmendra
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141212/20800487/attachment.htm>

From radovan.semancik at evolveum.com  Fri Dec 12 18:33:05 2014
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Fri, 12 Dec 2014 18:33:05 +0100
Subject: [midPoint] LDAP Connector Extension
In-Reply-To: <548B1B43.6040708@evolveum.com>
References: <CAKvVWqyoamPKrg_Oydkt44Gzxxfx0+t40ufi-NcL9XLXG=8srA@mail.gmail.com>
 <548B1B43.6040708@evolveum.com>
Message-ID: <548B26D1.4090202@evolveum.com>

Hi,

Just to clarify: This is not an issue of midPoint or a LDAP connector. 
This is an issue of the connector framework - the ConnId framework with 
is based on Sun Identity Connector Framework (Sun ICF). The ICF does not 
have any concept of auxiliary object classes or any concept of more than 
one object class per object. The Sun engineers obviously haven't though 
about this. Therefore this is not directly possible with the ICF/ConnId. 
But there is an indirect way. You have to configure the LDAP connector 
to "hack in" the auxiliary object classes. One such example can be found 
in our sample for Zimbra provisioning:
https://github.com/Evolveum/midpoint/blob/master/samples/resources/zimbra/ldap-zimbra.xml

However we have plans to extend the ConnId framework and add the concept 
of auxiliary object classes and support them properly. This is currently 
planned for 2015Q1.

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 12/12/2014 05:43 PM, Ivan Noris wrote:
> Hi,
>
> regarding auxiliary object classes:
>
> https://jira.evolveum.com/browse/MID-2121
> https://jira.evolveum.com/browse/MID-2120
>
> For "normal" object classes, samples/opendj/piracy may be helpful.
>
> Regards,
> Ivan
>
> On 12/12/2014 01:23 PM, dharmendra parakh wrote:
>> Hi
>>
>> I have an openldap resource in my environment and i want one 
>> auxiliary objectclass (posixAccount) to be added when i provision a 
>> user account(inetOrgPerson).
>>
>>
>> - Is it possible to achieve with the ldap connector bundled with 
>> midpoint?
>> - If yes then is there any document i can refer to do this or can you 
>> provide high level details of how to achieve this.
>>
>>
>>
>> Regards
>> Dharmendra
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
>    Ing. Ivan Noris
>    Senior Identity Management Engineer
>    evolveum.com     evolveum.com/blog/
>    _____________________________________________
>    "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141212/4a76b01e/attachment.htm>

From anand.kothekar at confluxsys.com  Sat Dec 13 11:51:43 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Sat, 13 Dec 2014 16:21:43 +0530
Subject: [midPoint] Assistance In Role Inducement Approval.
Message-ID: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>

Hi

I was working on *Role Approvals. *I created a role very similar to
the *Sensitive
Role 2.*

The Role I created is working fine and also requesting for approvals as
expected. I created one more Role having the previously role as its
inducement(New Role Inheriting The Previous Role).

Here the hierarchy is working fine and previous role's Groups are getting
added successfully but without any approval request.

So, Will you please help me out for forcing approvals on role Inducements
also.

Please forward me any links related to the issue if available.



Regards
 Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141213/0567f9e4/attachment.htm>

From mederly at evolveum.com  Mon Dec 15 12:34:35 2014
From: mederly at evolveum.com (Pavol Mederly)
Date: Mon, 15 Dec 2014 12:34:35 +0100
Subject: [midPoint] Assistance In Role Inducement Approval.
In-Reply-To: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>
References: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>
Message-ID: <548EC74B.80206@evolveum.com>

Hello Anand,

workflow requests are evaluated in so called "primary phase" of 
operation execution. At that time, only changes explicitly requested by 
the user are considered. So, the obvious solution to your problem is to 
add approval information to each role that includes your sensitive role 
as an inducement.

Is it OK for you? Or, is your situation such that you require the 
ability to automatically start all approvals for induced roles? If so, 
please describe it in a few words here.

Best regards,
Pavol

PS: I've noticed you write both to midpoint and midpoint-dev list. It is 
not necessary to do so. I would suggest to send questions like this one 
only to midpoint list (as it is a user-oriented question, not a 
development-related one).

On 13. 12. 2014 11:51, Anand Kothekar wrote:
> Hi
>
> I was working on *Role Approvals. *I created a role very similar to 
> the *Sensitive Role 2.*
> *
> *
> The Role I created is working fine and also requesting for approvals 
> as expected. I created one more Role having the previously role as its 
> inducement(New Role Inheriting The Previous Role).
>
> Here the hierarchy is working fine and previous role's Groups are 
> getting added successfully but without any approval request.
>
> So, Will you please help me out for forcing approvals on role 
> Inducements also.
>
> Please forward me any links related to the issue if available.
>
>
>
> Regards
>  Anand
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141215/2fb93971/attachment.htm>

From anand.kothekar at confluxsys.com  Mon Dec 15 14:52:07 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Mon, 15 Dec 2014 19:22:07 +0530
Subject: [midPoint] Assistance In Role Inducement Approval.
In-Reply-To: <548EC74B.80206@evolveum.com>
References: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>
 <548EC74B.80206@evolveum.com>
Message-ID: <CAHUT-CRk+ne0SWZBMOt_xZHWfQz-fRqiTAxqNrHPqiK9tHjsgw@mail.gmail.com>

Hello Pavol,

Well, it would really be nice if I could achieve automatic approvals for
induced roles so that it will be beneficial while using multilevel role
inducements with approvals also.

I would also like to know how to add approval information to roles. I tried
going through the documentation but failed to find anything.

It will be great if you provide me link to any of the documentation or
inform about adding approval information to role so that Automatic Approval
for Role Inheritance will be achieved.


Thanks.

On Mon, Dec 15, 2014 at 5:04 PM, Pavol Mederly <mederly at evolveum.com> wrote:
>
>  Hello Anand,
>
> workflow requests are evaluated in so called "primary phase" of operation
> execution. At that time, only changes explicitly requested by the user are
> considered. So, the obvious solution to your problem is to add approval
> information to each role that includes your sensitive role as an inducement.
>
> Is it OK for you? Or, is your situation such that you require the ability
> to automatically start all approvals for induced roles? If so, please
> describe it in a few words here.
>
> Best regards,
> Pavol
>
> PS: I've noticed you write both to midpoint and midpoint-dev list. It is
> not necessary to do so. I would suggest to send questions like this one
> only to midpoint list (as it is a user-oriented question, not a
> development-related one).
>
>
> On 13. 12. 2014 11:51, Anand Kothekar wrote:
>
> Hi
>
>  I was working on *Role Approvals. *I created a role very similar to the *Sensitive
> Role 2.*
>
>  The Role I created is working fine and also requesting for approvals as
> expected. I created one more Role having the previously role as its
> inducement(New Role Inheriting The Previous Role).
>
>  Here the hierarchy is working fine and previous role's Groups are
> getting added successfully but without any approval request.
>
>  So, Will you please help me out for forcing approvals on role
> Inducements also.
>
>  Please forward me any links related to the issue if available.
>
>
>
>  Regards
>  Anand
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141215/5b88be71/attachment.htm>

From anand.kothekar at confluxsys.com  Wed Dec 17 14:04:17 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Wed, 17 Dec 2014 18:34:17 +0530
Subject: [midPoint] Requesting Activiti Configuration Procedure
Message-ID: <CAHUT-CR128DZd_Z0tm5BR3xeRXq2HZ6a_Dm7jOTWTBoWGdjQwg@mail.gmail.com>

Hi,

I want to configure Activity Workflow In Midpoint. I gone through your
documentation but I did not find any document related to Activiti workflow
Configuration.

So, it will be very nice if you can provide me reference or any
documentation for configuring Activiti in Midpoint.



Thanks,
Anand Kothekar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141217/c1627a0f/attachment.htm>

From jeverling at bshp.edu  Wed Dec 17 15:48:30 2014
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 17 Dec 2014 08:48:30 -0600
Subject: [midPoint] 3.1 SNAPSHOT, Username Generation
In-Reply-To: <54894B3D.5090403@evolveum.com>
References: <CAFkZXY5Ph8Zarrf8EF98RQ-Drco6AY4ZdLA_y5+t6329zJB6oA@mail.gmail.com>
 <54886AB8.4080408@evolveum.com>
 <CAFkZXY4B8Vw3RD2xwEh2jEFu3R1NQ07N++uJeQ7=U-e8sSfy_A@mail.gmail.com>
 <54889C7D.3030001@evolveum.com>
 <CAFkZXY6G3k=C5xwT1zsY61itCNng7nBwtQSo=zXkD7q6S0aTEw@mail.gmail.com>
 <5488A080.90404@evolveum.com>
 <CAFkZXY66mmsHvMidXfEBbgqZhzC7NoSLC4cXYuWhRUuPdWO6sA@mail.gmail.com>
 <CAFkZXY5wWJA3uWW6GjMOZM8fFN4EBssS5MZ4fr-tsGssf+c3ow@mail.gmail.com>
 <5488B9E6.1000901@evolveum.com>
 <CAFkZXY6sOAXq70Sm2qUOM9g6k0oKiDq7OpuENJqst4EhNO=7WA@mail.gmail.com>
 <54894B3D.5090403@evolveum.com>
Message-ID: <CAFkZXY4vq_kCi6AxBHf=_JDjRNtQJz0XcnVbuAd+RjEhaVJ4Rw@mail.gmail.com>

I did some more testing over these past few days, I sent Ivan my system xml
dump but I wanted to post here my findings.

Situation:

CSV Resource and objectTemplate for CSV Resource to generate usernames

This works, generates the Username and Email Address correctly,
username at domain.com

If I use the same situation above and add my AD Resource without any other
changes it will start to change the email address to null at domain.com when
pulling from the CSV Resource.

I have narrowed it down to the ri:mail or emailAddress in the AD Resource,
as soon as I put <strength>weak</strength> for the inbound mappings for the
AD Resource then the CSV user import correctly adds the email address
instead of the null at domain.com.

The strangest thing, even though the CSV Resource/Role/objectTemplate is
not even referencing or inducing an AD Account this has an affect on the
email address from CSV.

Thanks,
JASON

On Thu, Dec 11, 2014 at 1:43 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:
>
>  This seems reasonable. Good luck.
>
> Regards,
> Ivan
>
>
> On 12/10/2014 10:35 PM, Jason Everling wrote:
>
> I downloaded the latest, I am also going to wipe out my install and start
> bringing in my resources one by one and my templates. I am going to add one
> CSV user at a time while I add my objects just in case it is one of my
> objects I will at least know which one,
>
>  JASON
>
> On Wed, Dec 10, 2014 at 3:23 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Jason,
>>
>> that is really strange, but I'm hoping that it's not happening after you
>> upgrade. I don't have the very very latest midPoint though.
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/10/2014 09:17 PM, Jason Everling wrote:
>>
>> While I am downloading, there has to be something in mine that is doing
>> this, I noticed on yours also that the
>>
>>  <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
>> type="OrgType"><!-- Posam --></parentOrgRef>
>>
>>  is added to the user object but it is still not added on mine when I
>> use the CSV resource but does when using the GUI,
>>
>>  Strange...
>>
>>  JASON
>>
>> On Wed, Dec 10, 2014 at 1:40 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> I am using,
>>>
>>>  git-v3.0.1devel-693-g11c758b
>>>
>>>  I will update to the latest since I am behind what yours is at and let
>>> you know
>>>
>>>  JASON
>>>
>>> On Wed, Dec 10, 2014 at 1:35 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  I have re-added the Org assignment as I was testing last week. It's
>>>> still working.
>>>>
>>>> This is what I added at the end of the template:
>>>>
>>>>    <mapping>
>>>>       <authoritative>true</authoritative>
>>>>       <source>
>>>>          <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >organization</c:path>
>>>>       </source>
>>>>       <expression>
>>>>          <assignmentTargetSearch>
>>>>             <targetType xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >c:OrgType</targetType>
>>>>             <filter xmlns:q=
>>>> "http://prism.evolveum.com/xml/ns/public/query-3"
>>>> <http://prism.evolveum.com/xml/ns/public/query-3>>
>>>>                <q:equal>
>>>>                   <q:path>name</q:path>
>>>>                   <expression>
>>>>                      <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >$organization</c:path>
>>>>                   </expression>
>>>>                </q:equal>
>>>>             </filter>
>>>>          </assignmentTargetSearch>
>>>>       </expression>
>>>>       <target>
>>>>          <c:path xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>> >assignment</c:path>
>>>>       </target>
>>>>    </mapping>
>>>>
>>>> User:
>>>> <user xmlns=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>       oid="9be4e4c9-66fc-4fbe-83c8-286ebfb9ac6e"
>>>>       version="1">
>>>>    <name>anpapecok5</name>
>>>>    <parentOrgRef oid="00000000-8888-6666-0000-100000000030"
>>>> type="OrgType"><!-- Posam --></parentOrgRef>
>>>>    <metadata>
>>>>       <createTimestamp>2014-12-10T20:30:38.743+01:00</createTimestamp>
>>>>       <creatorRef oid="00000000-0000-0000-0000-000000000002"
>>>> type="UserType"><!-- administrator --></creatorRef>
>>>>       <createChannel>
>>>> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
>>>> </createChannel>
>>>>    </metadata>
>>>>    <linkRef oid="abb8d8cc-507b-4210-aac7-3777c37b4b5b"
>>>> type="ShadowType"><!-- papecok5 --></linkRef>
>>>>    <assignment id="1">
>>>>       <targetRef xmlns:c=
>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>                  oid="00000000-8888-6666-0000-100000000030"
>>>>                  type="c:OrgType"><!-- MyOrg --></targetRef>
>>>>    </assignment>
>>>>    <activation>
>>>>       <effectiveStatus>disabled</effectiveStatus>
>>>>       <disableTimestamp>2014-12-10T20:30:38.086+01:00</disableTimestamp>
>>>>    </activation>
>>>>    <iteration>4</iteration>
>>>>    <iterationToken>5</iterationToken>
>>>>    <givenName>Andrej</givenName>
>>>>    <familyName>Papecok</familyName>
>>>>     <emailAddress>anpapecok5 at bshp.edu</emailAddress>
>>>>    <employeeNumber>papecok5</employeeNumber>
>>>>    <costCenter>xxx</costCenter>
>>>>    <organization>MyOrg</organization>
>>>> . . .
>>>> </user>
>>>>
>>>> So unless there is any trick hidden in the other mappings, maybe the
>>>> issue was resolved since your snapshot... Can you post the exact midPoint
>>>> version?
>>>>
>>>> I.
>>>>
>>>>
>>>>
>>>> On 12/10/2014 08:25 PM, Jason Everling wrote:
>>>>
>>>> No not really, looks to be the same,
>>>>
>>>>  I attached the template,
>>>>
>>>>  The only thing else besides creating the username and email address
>>>> is that it assigns the correct Org based on the costCenter attribute which
>>>> is mapped to program in my CSV and also assigns a role,
>>>>
>>>>
>>>>
>>>> On Wed, Dec 10, 2014 at 1:18 PM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> this is interesting: it seems to work:
>>>>>
>>>>> Right now I have resource with object template reference in unmatched
>>>>> action:
>>>>> . . .
>>>>>       <reaction>
>>>>>             <situation>unmatched</situation>
>>>>>             <objectTemplateRef
>>>>> oid="10000000-0000-0000-1111-000000000203"/>
>>>>>             <action ref=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser>/>
>>>>>          </reaction>
>>>>> . . .
>>>>>
>>>>> The template:
>>>>> <objectTemplate xmlns=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>>                 oid="10000000-0000-0000-1111-000000000203"
>>>>>                 version="2">
>>>>>    <name>Default User Template (VIX)</name>
>>>>>    <iteration>
>>>>>       <maxIterations>999</maxIterations>
>>>>>       <tokenExpression>
>>>>>          <script>
>>>>>             <code>
>>>>>                             if (iteration == 0) {
>>>>>                             return "";
>>>>>                             } else {
>>>>>                             return "" + (iteration+1)
>>>>>                             }
>>>>>                         </code>
>>>>>          </script>
>>>>>       </tokenExpression>
>>>>>    </iteration>
>>>>>    <mapping>
>>>>>        <name>Generate Username</name>
>>>>>       <source>
>>>>>          <name>tmpGivenName</name>
>>>>>          <c:path xmlns:c=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>> >givenName</c:path>
>>>>>       </source>
>>>>>       <source>
>>>>>          <name>tmpFamilyName</name>
>>>>>           <c:path xmlns:c=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>> >familyName</c:path>
>>>>>       </source>
>>>>>       <expression>
>>>>>          <script>
>>>>>             <code>
>>>>>                     tmpGivenNameInitial =
>>>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>>> (basic.stringify(tmpGivenName)).substring(0,2) : ''
>>>>>                     if (iteration == 0) {
>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>> tmpFamilyName))
>>>>>                     }
>>>>>                     else {
>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>> tmpFamilyName)) + iterationToken
>>>>>                     }
>>>>>                 </code>
>>>>>          </script>
>>>>>       </expression>
>>>>>       <target>
>>>>>           <c:path xmlns:c=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>> >name</c:path>
>>>>>       </target>
>>>>>    </mapping>
>>>>>    <mapping>
>>>>>       <source>
>>>>>          <c:path xmlns:c=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>> >$user/name</c:path>
>>>>>       </source>
>>>>>       <source>
>>>>>          <c:path xmlns:c=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>> >$user/emailAddress</c:path>
>>>>>       </source>
>>>>>       <expression>
>>>>>          <script>
>>>>>             <language>
>>>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>>>> </language>
>>>>>              <code>name+'@bshp.edu'</code>
>>>>>          </script>
>>>>>       </expression>
>>>>>       <target>
>>>>>          <c:path xmlns:c=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>> >emailAddress</c:path>
>>>>>       </target>
>>>>>    </mapping>
>>>>> </objectTemplate>
>>>>>
>>>>> The CSV entry:
>>>>> employeeID,firstname,lastname,otherMailbox,program,organization
>>>>> "papecok4","Andrej","Papecok","papecok4","xxx","MyOrg"
>>>>>
>>>>> MidPoint User after sync:
>>>>> <user xmlns=
>>>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>>>>       oid="93b18a69-f030-4164-9cef-ef955233b2bc"
>>>>>       version="1">
>>>>>    <name>anpapecok4</name>
>>>>> . . .
>>>>>    <iteration>3</iteration>
>>>>>    <iterationToken>4</iterationToken>
>>>>>    <givenName>Andrej</givenName>
>>>>>    <familyName>Papecok</familyName>
>>>>> *   <emailAddress>anpapecok4 at bshp.edu
>>>>> <anpapecok4 at bshp.edu></emailAddress>*
>>>>>    <employeeNumber>papecok4</employeeNumber>
>>>>> . . .
>>>>> </user>
>>>>>
>>>>> This is midPoint git-v3.0.1devel-704-g0937a70
>>>>>
>>>>> Can you see any difference with your config...?
>>>>>
>>>>> Regards,
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 12/10/2014 05:13 PM, Jason Everling wrote:
>>>>>
>>>>> So I disabled or removed that template from the resource reactions, I
>>>>> set it as the default template is sysconfig.
>>>>>
>>>>>  It still does it,    <emailAddress>null at domain.com</emailAddress>
>>>>> seems to be affected,
>>>>>
>>>>>  Wierd though, I turned on debugging,
>>>>>
>>>>>  It shows the attribute being created correctly, you can see from the
>>>>> log but in the gui and in the user xml it is null at domain.com
>>>>>
>>>>>
>>>>> ObjectDelta<UserType>(UserType:ab907de7-4302-47ef-8003-36959fc842ef,ADD):
>>>>>   user: (ab907de7-4302-47ef-8003-36959fc842ef, v0, UserType)
>>>>>       extension:
>>>>>           otherMailbox: [ hhernandez at local.org ]
>>>>>           eduPersonAffiliation: [ student ]
>>>>>       givenName: Herman
>>>>>       familyName: Hernandes
>>>>>       costCenter: PN
>>>>>       employeeNumber: HE5019982
>>>>>       credentials:
>>>>>           password:
>>>>>               value:
>>>>> ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=
>>>>> http://www.w3.org/2001/04/xmlenc#aes128-cbc),
>>>>> keyInfo=KeyInfoType(keyName=HiCJvCmeUCWoiEl3d+uXyd2VeYs=),
>>>>> cipherData=CipherDataType(cipherValue=[32 bytes])))
>>>>>       activation:
>>>>>           administrativeStatus: ENABLED
>>>>>           effectiveStatus: ENABLED
>>>>>           enableTimestamp: 2014-12-10T10:07:21.502-06:00
>>>>>       emailAddress: hehernandes at domain.com
>>>>>       name: hehernandes
>>>>>       employeeType: [ A2S ]
>>>>>       locale: US
>>>>>       organization: [ OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL ]
>>>>>       locality: San Antonio
>>>>>       fullName: Herman Hernandes
>>>>>       iteration: 0
>>>>>
>>>>> On Wed, Dec 10, 2014 at 9:46 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>>  Jason,
>>>>>>
>>>>>> I believe I have seen this couple of weeks ago when debugging the
>>>>>> iterator problem... seems that I've forgotten about this.
>>>>>>
>>>>>> But as far I can remember, it has worked when the mapping was in
>>>>>> global system template instead of the resource-referenced.
>>>>>>
>>>>>> If you can temporarily disable using of the template in resource and
>>>>>> set the same template in System Configuration for UserType objects, can you
>>>>>> please test the behaviour?
>>>>>>
>>>>>> Anyway it seems to be a bug, so after you could confirm the
>>>>>> behaviour, I'd create a new issue.
>>>>>>
>>>>>> Thanks,
>>>>>> I.
>>>>>>
>>>>>>
>>>>>> On 12/10/2014 04:32 PM, Jason Everling wrote:
>>>>>>
>>>>>>  Since I upgraded to 3.1 and I am not sure if this is related to the
>>>>>> other CSV Resource issue.
>>>>>>
>>>>>>  Here is the mapping for the template, it worked fine in 3.0.1 so I
>>>>>> do not know if anything changed, the email address is built using name + '@
>>>>>> domain.com' but when the user is created I get null at domain.com, like
>>>>>> it is not picking up the username from the first mapping
>>>>>>
>>>>>>      <mapping>
>>>>>>         <name>Generate Username for CSV</name>
>>>>>>         <source>
>>>>>>             <name>tmpGivenName</name>
>>>>>>             <path>givenName</path>
>>>>>>         </source>
>>>>>>         <source>
>>>>>>             <name>tmpFamilyName</name>
>>>>>>             <path>familyName</path>
>>>>>>         </source>
>>>>>>         <!-- Will generate username in the filastname format with
>>>>>> iterator,
>>>>>>               filastname
>>>>>>               filastname2
>>>>>>         -->
>>>>>>         <expression>
>>>>>>             <script>
>>>>>>                 <code>
>>>>>>                     tmpGivenNameInitial =
>>>>>> basic.stringify(tmpGivenName)?.size() &gt; 0 ?
>>>>>>                     (basic.stringify(tmpGivenName)).substring(0,2) :
>>>>>> ''
>>>>>>                     if (iteration == 0) {
>>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>>> tmpFamilyName))
>>>>>>                     }
>>>>>>                     else {
>>>>>>                     basic.norm(basic.stringify(tmpGivenNameInitial +
>>>>>> tmpFamilyName)) + iterationToken
>>>>>>                     }
>>>>>>                 </code>
>>>>>>             </script>
>>>>>>         </expression>
>>>>>>         <target>
>>>>>>             <path>name</path>
>>>>>>         </target>
>>>>>>     </mapping>
>>>>>>
>>>>>>      <iteration>
>>>>>>         <maxIterations>25</maxIterations>
>>>>>>         <tokenExpression>
>>>>>>             <script>
>>>>>>                 <code>
>>>>>>                     if (iteration == 0) {
>>>>>>                     return "";
>>>>>>                     } else {
>>>>>>                     return "" + (iteration+1)
>>>>>>                     }
>>>>>>                 </code>
>>>>>>             </script>
>>>>>>         </tokenExpression>
>>>>>>     </iteration>
>>>>>>
>>>>>>      <mapping>
>>>>>>         <source>
>>>>>>             <path>$user/name</path>
>>>>>>         </source>
>>>>>>         <expression>
>>>>>>             <script>
>>>>>>                 <language>
>>>>>> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
>>>>>> </language>
>>>>>>                 <code>name + '@domain.com'</code>
>>>>>>             </script>
>>>>>>         </expression>
>>>>>>         <target>
>>>>>>             <path>emailAddress</path>
>>>>>>         </target>
>>>>>>     </mapping>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>> --
>>>>>>   Ing. Ivan Noris
>>>>>>   Senior Identity Management Engineer
>>>>>>   evolveum.com     evolveum.com/blog/
>>>>>>   _____________________________________________
>>>>>>   "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com     evolveum.com/blog/
>>>>>   _____________________________________________
>>>>>   "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141217/cf5ded10/attachment.htm>

From anand.kothekar at confluxsys.com  Thu Dec 18 15:12:32 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Thu, 18 Dec 2014 19:42:32 +0530
Subject: [midPoint] Assistance In Role Inducement Approval.
In-Reply-To: <CAHUT-CRk+ne0SWZBMOt_xZHWfQz-fRqiTAxqNrHPqiK9tHjsgw@mail.gmail.com>
References: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>
 <548EC74B.80206@evolveum.com>
 <CAHUT-CRk+ne0SWZBMOt_xZHWfQz-fRqiTAxqNrHPqiK9tHjsgw@mail.gmail.com>
Message-ID: <CAHUT-CTAbXmN+ZTS3r3m+Y+D62G1Mahf5qaA=pPMPUaEMd9s2Q@mail.gmail.com>

Hi,

Can anyone provide me assistance on this..


Thanks
Anand Kothekar

On Mon, Dec 15, 2014 at 7:22 PM, Anand Kothekar <
anand.kothekar at confluxsys.com> wrote:
>
> Hello Pavol,
>
> Well, it would really be nice if I could achieve automatic approvals for
> induced roles so that it will be beneficial while using multilevel role
> inducements with approvals also.
>
> I would also like to know how to add approval information to roles. I
> tried going through the documentation but failed to find anything.
>
> It will be great if you provide me link to any of the documentation or
> inform about adding approval information to role so that Automatic Approval
> for Role Inheritance will be achieved.
>
>
> Thanks.
>
> On Mon, Dec 15, 2014 at 5:04 PM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>>
>>  Hello Anand,
>>
>> workflow requests are evaluated in so called "primary phase" of operation
>> execution. At that time, only changes explicitly requested by the user are
>> considered. So, the obvious solution to your problem is to add approval
>> information to each role that includes your sensitive role as an inducement.
>>
>> Is it OK for you? Or, is your situation such that you require the ability
>> to automatically start all approvals for induced roles? If so, please
>> describe it in a few words here.
>>
>> Best regards,
>> Pavol
>>
>> PS: I've noticed you write both to midpoint and midpoint-dev list. It is
>> not necessary to do so. I would suggest to send questions like this one
>> only to midpoint list (as it is a user-oriented question, not a
>> development-related one).
>>
>>
>> On 13. 12. 2014 11:51, Anand Kothekar wrote:
>>
>> Hi
>>
>>  I was working on *Role Approvals. *I created a role very similar to the *Sensitive
>> Role 2.*
>>
>>  The Role I created is working fine and also requesting for approvals as
>> expected. I created one more Role having the previously role as its
>> inducement(New Role Inheriting The Previous Role).
>>
>>  Here the hierarchy is working fine and previous role's Groups are
>> getting added successfully but without any approval request.
>>
>>  So, Will you please help me out for forcing approvals on role
>> Inducements also.
>>
>>  Please forward me any links related to the issue if available.
>>
>>
>>
>>  Regards
>>  Anand
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141218/c0e0694b/attachment.htm>

From anand.kothekar at confluxsys.com  Thu Dec 18 17:28:28 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Thu, 18 Dec 2014 21:58:28 +0530
Subject: [midPoint] Assistance In Role Inducement Approval.
In-Reply-To: <CAHUT-CTAbXmN+ZTS3r3m+Y+D62G1Mahf5qaA=pPMPUaEMd9s2Q@mail.gmail.com>
References: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>
 <548EC74B.80206@evolveum.com>
 <CAHUT-CRk+ne0SWZBMOt_xZHWfQz-fRqiTAxqNrHPqiK9tHjsgw@mail.gmail.com>
 <CAHUT-CTAbXmN+ZTS3r3m+Y+D62G1Mahf5qaA=pPMPUaEMd9s2Q@mail.gmail.com>
Message-ID: <CAHUT-CSM9EKsd6zRx5KciN6b8j3xr4Gz2bEQMMJXUGRub-LY=A@mail.gmail.com>

Sorry Wrong Mail Trailed.

On Thu, Dec 18, 2014 at 7:42 PM, Anand Kothekar <
anand.kothekar at confluxsys.com> wrote:
>
> Hi,
>
> Can anyone provide me assistance on this..
>
>
> Thanks
> Anand Kothekar
>
> On Mon, Dec 15, 2014 at 7:22 PM, Anand Kothekar <
> anand.kothekar at confluxsys.com> wrote:
>>
>> Hello Pavol,
>>
>> Well, it would really be nice if I could achieve automatic approvals for
>> induced roles so that it will be beneficial while using multilevel role
>> inducements with approvals also.
>>
>> I would also like to know how to add approval information to roles. I
>> tried going through the documentation but failed to find anything.
>>
>> It will be great if you provide me link to any of the documentation or
>> inform about adding approval information to role so that Automatic Approval
>> for Role Inheritance will be achieved.
>>
>>
>> Thanks.
>>
>> On Mon, Dec 15, 2014 at 5:04 PM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>>
>>>  Hello Anand,
>>>
>>> workflow requests are evaluated in so called "primary phase" of
>>> operation execution. At that time, only changes explicitly requested by the
>>> user are considered. So, the obvious solution to your problem is to add
>>> approval information to each role that includes your sensitive role as an
>>> inducement.
>>>
>>> Is it OK for you? Or, is your situation such that you require the
>>> ability to automatically start all approvals for induced roles? If so,
>>> please describe it in a few words here.
>>>
>>> Best regards,
>>> Pavol
>>>
>>> PS: I've noticed you write both to midpoint and midpoint-dev list. It is
>>> not necessary to do so. I would suggest to send questions like this one
>>> only to midpoint list (as it is a user-oriented question, not a
>>> development-related one).
>>>
>>>
>>> On 13. 12. 2014 11:51, Anand Kothekar wrote:
>>>
>>> Hi
>>>
>>>  I was working on *Role Approvals. *I created a role very similar to
>>> the *Sensitive Role 2.*
>>>
>>>  The Role I created is working fine and also requesting for approvals
>>> as expected. I created one more Role having the previously role as its
>>> inducement(New Role Inheriting The Previous Role).
>>>
>>>  Here the hierarchy is working fine and previous role's Groups are
>>> getting added successfully but without any approval request.
>>>
>>>  So, Will you please help me out for forcing approvals on role
>>> Inducements also.
>>>
>>>  Please forward me any links related to the issue if available.
>>>
>>>
>>>
>>>  Regards
>>>  Anand
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141218/8026d037/attachment.htm>

From anand.kothekar at confluxsys.com  Thu Dec 18 17:30:25 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Thu, 18 Dec 2014 22:00:25 +0530
Subject: [midPoint] Requesting Activiti Configuration Procedure
In-Reply-To: <CAHUT-CR128DZd_Z0tm5BR3xeRXq2HZ6a_Dm7jOTWTBoWGdjQwg@mail.gmail.com>
References: <CAHUT-CR128DZd_Z0tm5BR3xeRXq2HZ6a_Dm7jOTWTBoWGdjQwg@mail.gmail.com>
Message-ID: <CAHUT-CTC6g7Sqe1Lf8P4RUVVTXHz7NcsUAtP8e_8AqYmXvRMzg@mail.gmail.com>

Hi,

Can anyone provide me assistance on this..


Thanks

On Wed, Dec 17, 2014 at 6:34 PM, Anand Kothekar <
anand.kothekar at confluxsys.com> wrote:
>
> Hi,
>
> I want to configure Activity Workflow In Midpoint. I gone through your
> documentation but I did not find any document related to Activiti workflow
> Configuration.
>
> So, it will be very nice if you can provide me reference or any
> documentation for configuring Activiti in Midpoint.
>
>
>
> Thanks,
> Anand Kothekar
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141218/7641d533/attachment.htm>

From mederly at evolveum.com  Thu Dec 18 17:35:15 2014
From: mederly at evolveum.com (Pavol Mederly)
Date: Thu, 18 Dec 2014 17:35:15 +0100
Subject: [midPoint] Assistance In Role Inducement Approval.
In-Reply-To: <CAHUT-CTAbXmN+ZTS3r3m+Y+D62G1Mahf5qaA=pPMPUaEMd9s2Q@mail.gmail.com>
References: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>
 <548EC74B.80206@evolveum.com>
 <CAHUT-CRk+ne0SWZBMOt_xZHWfQz-fRqiTAxqNrHPqiK9tHjsgw@mail.gmail.com>
 <CAHUT-CTAbXmN+ZTS3r3m+Y+D62G1Mahf5qaA=pPMPUaEMd9s2Q@mail.gmail.com>
Message-ID: <54930243.5040108@evolveum.com>

Hello Anand,

> Well, it would really be nice if I could achieve automatic approvals 
> for induced roles so that it will be beneficial while using multilevel 
> role inducements with approvals also.
I agree. I've created a record for this issue (MID-2130 
<https://jira.evolveum.com/browse/MID-2130>). Unfortunately, I cannot 
promise any specific date when it could be implemented. Please contact 
Igor or Radovan regarding this.

> I would also like to know how to add approval information to roles. I 
> tried going through the documentation but failed to find anything.
All relevant information about workflows is available at this page 
<https://wiki.evolveum.com/display/midPoint/Workflows>.

In particular, how to configure approval information for roles is here 
<https://wiki.evolveum.com/display/midPoint/Some+examples>. For example, 
when adding a single approver for a role, just add the <approverRef> 
reference to the role (as in Sensitive Role 1). Multi-level structure 
can be added via <approvalSchema> (as in Sensitive Role 2). Dynamically 
defined approvers can be specified via expressions under 
<approverExpression>/<automaticallyApproved> properties (as in Sensitive 
Role 3).

As for your other question,
> I want to configure Activity Workflow In Midpoint. I gone through your 
> documentation but I did not find any document related to Activiti 
> workflow Configuration.
I would say this:

1) role-related approvals are enabled as written here 
<https://wiki.evolveum.com/display/midPoint/Workflow+configuration>, 
namely by including the following in the system config file:

|<||workflow||>|
|<||changeProcessors||>|
|<||primaryUserChangeProcessor||>|
|<||aspect||>addRoleAssignmentAspect</||aspect||>|
|</||primaryUserChangeProcessor||>|
|</||changeProcessors||>|
|||</||workflow||>

|
2) as for other uses of workflows, you first have to specify what 
exactly has to be approved, and how. To do that, it is necessary to read 
the following documents:

  * architectural description of workflows in midPoint (at least to find
    out what is a change processor and workflow aspect):
    https://wiki.evolveum.com/display/midPoint/Workflow+Management
  * how to create your own workflow aspect:
    https://wiki.evolveum.com/display/midPoint/How+to+develop+your+own+approval+processes+-+case+1+-+using+primary+change+processor+and+general+item+approval+process

If you would need any specific assistance, just ask here. We're ready to 
help you.

Best regards,
Pavol

On 18. 12. 2014 15:12, Anand Kothekar wrote:
> Hi,
>
> Can anyone provide me assistance on this..
>
>
> Thanks
> Anand Kothekar
>
> On Mon, Dec 15, 2014 at 7:22 PM, Anand Kothekar 
> <anand.kothekar at confluxsys.com <mailto:anand.kothekar at confluxsys.com>> 
> wrote:
>
>     Hello Pavol,
>
>     Well, it would really be nice if I could achieve automatic
>     approvals for induced roles so that it will be beneficial while
>     using multilevel role inducements with approvals also.
>
>     I would also like to know how to add approval information to
>     roles. I tried going through the documentation but failed to find
>     anything.
>
>     It will be great if you provide me link to any of the
>     documentation or inform about adding approval information to role
>     so that Automatic Approval for Role Inheritance will be achieved.
>
>
>     Thanks.
>
>     On Mon, Dec 15, 2014 at 5:04 PM, Pavol Mederly
>     <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>
>         Hello Anand,
>
>         workflow requests are evaluated in so called "primary phase"
>         of operation execution. At that time, only changes explicitly
>         requested by the user are considered. So, the obvious solution
>         to your problem is to add approval information to each role
>         that includes your sensitive role as an inducement.
>
>         Is it OK for you? Or, is your situation such that you require
>         the ability to automatically start all approvals for induced
>         roles? If so, please describe it in a few words here.
>
>         Best regards,
>         Pavol
>
>         PS: I've noticed you write both to midpoint and midpoint-dev
>         list. It is not necessary to do so. I would suggest to send
>         questions like this one only to midpoint list (as it is a
>         user-oriented question, not a development-related one).
>
>
>         On 13. 12. 2014 11:51, Anand Kothekar wrote:
>>         Hi
>>
>>         I was working on *Role Approvals. *I created a role very
>>         similar to the *Sensitive Role 2.*
>>         *
>>         *
>>         The Role I created is working fine and also requesting for
>>         approvals as expected. I created one more Role having the
>>         previously role as its inducement(New Role Inheriting The
>>         Previous Role).
>>
>>         Here the hierarchy is working fine and previous role's Groups
>>         are getting added successfully but without any approval request.
>>
>>         So, Will you please help me out for forcing approvals on role
>>         Inducements also.
>>
>>         Please forward me any links related to the issue if available.
>>
>>
>>
>>         Regards
>>          Anand
>>
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141218/aa42bd49/attachment.htm>

From anand.kothekar at confluxsys.com  Fri Dec 19 16:42:48 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Fri, 19 Dec 2014 21:12:48 +0530
Subject: [midPoint] Assistance In Role Inducement Approval.
In-Reply-To: <54930243.5040108@evolveum.com>
References: <CAHUT-CRRoqWCNrsDReY-G3MzYuGcJ=Q04WUNnD=NsFC+RgC5Kw@mail.gmail.com>
 <548EC74B.80206@evolveum.com>
 <CAHUT-CRk+ne0SWZBMOt_xZHWfQz-fRqiTAxqNrHPqiK9tHjsgw@mail.gmail.com>
 <CAHUT-CTAbXmN+ZTS3r3m+Y+D62G1Mahf5qaA=pPMPUaEMd9s2Q@mail.gmail.com>
 <54930243.5040108@evolveum.com>
Message-ID: <CAHUT-CRM-sfZEh5VzfN2WsRR2z2-AoDyaP0DTbJ7fLO3uAu6Ag@mail.gmail.com>

Thank you very much for the assistance.



On Thu, Dec 18, 2014 at 10:05 PM, Pavol Mederly <mederly at evolveum.com>
wrote:
>
>  Hello Anand,
>
> Well, it would really be nice if I could achieve automatic approvals for
> induced roles so that it will be beneficial while using multilevel role
> inducements with approvals also.
>
> I agree. I've created a record for this issue (MID-2130
> <https://jira.evolveum.com/browse/MID-2130>). Unfortunately, I cannot
> promise any specific date when it could be implemented. Please contact Igor
> or Radovan regarding this.
>
> I would also like to know how to add approval information to roles. I
> tried going through the documentation but failed to find anything.
>
> All relevant information about workflows is available at this page
> <https://wiki.evolveum.com/display/midPoint/Workflows>.
>
> In particular, how to configure approval information for roles is here
> <https://wiki.evolveum.com/display/midPoint/Some+examples>. For example,
> when adding a single approver for a role, just add the <approverRef>
> reference to the role (as in Sensitive Role 1). Multi-level structure can
> be added via  <approvalSchema> (as in Sensitive Role 2). Dynamically
> defined approvers can be specified via expressions under
> <approverExpression>/<automaticallyApproved> properties (as in Sensitive
> Role 3).
>
> As for your other question,
>
> I want to configure Activity Workflow In Midpoint. I gone through your
> documentation but I did not find any document related to Activiti workflow
> Configuration.
>
> I would say this:
>
> 1) role-related approvals are enabled as written here
> <https://wiki.evolveum.com/display/midPoint/Workflow+configuration>,
> namely by including the following in the system config file:
>
>  <workflow>
>      <changeProcessors>
>          <primaryUserChangeProcessor>
>              <aspect>addRoleAssignmentAspect</aspect>
>          </primaryUserChangeProcessor>
>      </changeProcessors>
>  </workflow>
>
>  2) as for other uses of workflows, you first have to specify what
> exactly has to be approved, and how. To do that, it is necessary to read
> the following documents:
>
>    - architectural description of workflows in midPoint (at least to find
>    out what is a change processor and workflow aspect):
>    https://wiki.evolveum.com/display/midPoint/Workflow+Management
>    - how to create your own workflow aspect:
>    https://wiki.evolveum.com/display/midPoint/How+to+develop+your+own+approval+processes+-+case+1+-+using+primary+change+processor+and+general+item+approval+process
>
> If you would need any specific assistance, just ask here. We're ready to
> help you.
>
> Best regards,
> Pavol
>
>
> On 18. 12. 2014 15:12, Anand Kothekar wrote:
>
> Hi,
>
>  Can anyone provide me assistance on this..
>
>
>  Thanks
> Anand Kothekar
>
> On Mon, Dec 15, 2014 at 7:22 PM, Anand Kothekar <
> anand.kothekar at confluxsys.com> wrote:
>>
>> Hello Pavol,
>>
>>  Well, it would really be nice if I could achieve automatic approvals
>> for induced roles so that it will be beneficial while using multilevel role
>> inducements with approvals also.
>>
>>  I would also like to know how to add approval information to roles. I
>> tried going through the documentation but failed to find anything.
>>
>>  It will be great if you provide me link to any of the documentation or
>> inform about adding approval information to role so that Automatic Approval
>> for Role Inheritance will be achieved.
>>
>>
>>  Thanks.
>>
>> On Mon, Dec 15, 2014 at 5:04 PM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>>
>>>  Hello Anand,
>>>
>>> workflow requests are evaluated in so called "primary phase" of
>>> operation execution. At that time, only changes explicitly requested by the
>>> user are considered. So, the obvious solution to your problem is to add
>>> approval information to each role that includes your sensitive role as an
>>> inducement.
>>>
>>> Is it OK for you? Or, is your situation such that you require the
>>> ability to automatically start all approvals for induced roles? If so,
>>> please describe it in a few words here.
>>>
>>> Best regards,
>>> Pavol
>>>
>>> PS: I've noticed you write both to midpoint and midpoint-dev list. It is
>>> not necessary to do so. I would suggest to send questions like this one
>>> only to midpoint list (as it is a user-oriented question, not a
>>> development-related one).
>>>
>>>
>>> On 13. 12. 2014 11:51, Anand Kothekar wrote:
>>>
>>>  Hi
>>>
>>>  I was working on *Role Approvals. *I created a role very similar to
>>> the *Sensitive Role 2.*
>>>
>>>  The Role I created is working fine and also requesting for approvals
>>> as expected. I created one more Role having the previously role as its
>>> inducement(New Role Inheriting The Previous Role).
>>>
>>>  Here the hierarchy is working fine and previous role's Groups are
>>> getting added successfully but without any approval request.
>>>
>>>  So, Will you please help me out for forcing approvals on role
>>> Inducements also.
>>>
>>>  Please forward me any links related to the issue if available.
>>>
>>>
>>>
>>>  Regards
>>>  Anand
>>>
>>>
>>>
>>>  _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141219/d4329aa3/attachment.htm>

From anand.kothekar at confluxsys.com  Tue Dec 23 08:55:43 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Tue, 23 Dec 2014 13:25:43 +0530
Subject: [midPoint] Resource Add/Removal Approval
Message-ID: <CAHUT-CT5GghX_i0yeuyap=MZ9AryLa9fB+XrKJQUAGobnXoeEQ@mail.gmail.com>

Hi

  I wanted to know that whether it is possible to raise an approval request
at the time of resource *assignment* to *Role. *(I want approval for
*Assignment
of Resource* a/c to *Role*)

  And going through your documentation I also found out that it is possible
to have * role/resource removal approval.*

 So I want information about achieving,

   -       Approval For Adding Resource To Role
   -       Resource Add/Remove Approval.


   So  will you please assist me with the two functionalities as early as
possible.



    Thanks,
Anand Kothekar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141223/dacc72fc/attachment.htm>

From anand.kothekar at confluxsys.com  Wed Dec 24 11:21:33 2014
From: anand.kothekar at confluxsys.com (Anand Kothekar)
Date: Wed, 24 Dec 2014 15:51:33 +0530
Subject: [midPoint] Resource Add/Removal Approval
In-Reply-To: <CAHUT-CT5GghX_i0yeuyap=MZ9AryLa9fB+XrKJQUAGobnXoeEQ@mail.gmail.com>
References: <CAHUT-CT5GghX_i0yeuyap=MZ9AryLa9fB+XrKJQUAGobnXoeEQ@mail.gmail.com>
Message-ID: <CAHUT-CSakGhoRwzMR4X4qGhfLgV3H9wwqB24vczxSWo79PpHJQ@mail.gmail.com>

Hi,

Can anyone provide me assistance on this..


Thanks

On Tue, Dec 23, 2014 at 1:25 PM, Anand Kothekar <
anand.kothekar at confluxsys.com> wrote:

> Hi
>
>   I wanted to know that whether it is possible to raise an approval
> request at the time of resource *assignment* to *Role. *(I want approval
> for *Assignment of Resource* a/c to *Role*)
>
>   And going through your documentation I also found out that it is
> possible to have * role/resource removal approval.*
>
>  So I want information about achieving,
>
>    -       Approval For Adding Resource To Role
>    -       Resource Add/Remove Approval.
>
>
>    So  will you please assist me with the two functionalities as early as
> possible.
>
>
>
>     Thanks,
> Anand Kothekar
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141224/7ce435f1/attachment.htm>

From dharm.parakh at gmail.com  Mon Dec 29 12:30:43 2014
From: dharm.parakh at gmail.com (dharmendra parakh)
Date: Mon, 29 Dec 2014 17:00:43 +0530
Subject: [midPoint] Assistance with Resource/Account provisioning operations
 using Webservice client
Message-ID: <CAKvVWqx5XXf--hm2G4tK1Fpb_hidu=m6Gb3gQ+9bXSPTS9NbZg@mail.gmail.com>

Hi

Hope you all had a nice Christmas, I wish you all a very Happy new year
2015 ahead.

I have a requirement where i have to provision account/resource to a
role/user in midpoint using model web service. I was able to create and
search account using web service client (model-client-sample)

- I need some pointers on how to update the account. I tried few things
some didn't work and some worked partially. can you help me providing the
right way or a code snippet to do it.

I have attached a code snippet which replaces the role assignment and it
works if i remove the attribute itself from construction but when i try to
remove some values of a multi-valued attribute instead of removing those
values it tries to add other value which are already present


- One more thing there is a method in web service to get the owner of
shadow account but that can be a user only, how we can get the owner of a
shadow if that owner is a role.

following is the method:

*findShadowOwner(shadowOid, user, result);*



Thanks & regards
Dharmendra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141229/8ebfb4e3/attachment.htm>
-------------- next part --------------
		ObjectDeltaType shadowDelta = new ObjectDeltaType();
		shadowDelta.setOid(role.getOid());
		shadowDelta.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
		shadowDelta.setChangeType(ChangeTypeType.MODIFY);
		
		List<AssignmentType> assignmentList = role.getAssignment();
		AssignmentType tempAssignment = null;
		for(AssignmentType assignment : assignmentList){
			tempAssignment = assignment;
			List<ResourceAttributeDefinitionType> attrs = new ArrayList<ResourceAttributeDefinitionType>(assignment.getConstruction().getAttribute()); 
			List<ResourceAttributeDefinitionType> exAttrs = assignment.getConstruction().getAttribute();
			
			for(ResourceAttributeDefinitionType attr: attrs){
				String attrName = attr.getRef().getLocalPart();
				if(attrName.equals("ldapGroups")){
//					exAttrs.remove(attr);
					ResourceAttributeDefinitionType attr1 = exAttrs.get(exAttrs.indexOf(attr));
					attr1.getOutbound().getExpression().getExpressionEvaluator().remove(0);
				}
			}
			
			break;
		}
		

		ItemDeltaType itemDelta = new ItemDeltaType();
		itemDelta.setModificationType(ModificationTypeType.REPLACE);
		itemDelta.setPath(ModelClientUtil.createItemPathType("assignment"));
		itemDelta.getValue().add(tempAssignment);

		
		
		shadowDelta.getItemDelta().add(itemDelta);

		ObjectDeltaListType deltaList = new ObjectDeltaListType();
		deltaList.getDelta().add(shadowDelta);
		modelPort.executeChanges(deltaList, null);