[midPoint] Account Creation, Not Being created in AD

Ivan Noris ivan.noris at evolveum.com
Fri Dec 5 09:10:51 CET 2014


Jason,

I've just tried the original iterator (User in midPoint) problem and it
seems to be fixed in git-v3.0.1devel-703-g8c40b63.

I've tested with LiveSync CSV sample from you, used user template either
referenced from the unmatched action or global template. Username is
generated in midPoint:

(username - fullname)
cypecienka - Cyrus Pecienka
cypecienka2 - Cyrusov Pecienka
cypecienka3 - Cyril Pecienka
cypecienka4 - Cyrhoza Pecienka

Please retest it once after you upgrade to 3.1 or the master snapshot.
Thank you.

Regards,
Ivan

On 11/07/2014 04:23 PM, Jason Everling wrote:
> Thanks, it is working, like you said, will be easier to manage in the
> long run! Keep me posted on the bug fix,
>
> For now, I am just cleaning up objects and playing with other functions,
>
> JASON
>
> On Fri, Nov 7, 2014 at 2:56 AM, Ivan Noris <Ivan.Noris at evolveum.com
> <mailto:Ivan.Noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     yes you can use switch in one mapping instead of having many
>     mappings - I'm using it very often. It will be more simple to
>     maintain.
>
>     Just be sure to pass all required attributes as source. In your
>     case, organization does not have to be source attribute, because
>     you are not referencing it in the mapping expression
>      nor conditions.
>
>     You can further simplify the switch statement as:
>
>     switch (*costCenter*) {
>     . . .
>
>     - no basic.stringify() is needed, because the attribute type is
>     String and not Polystring. Having it there would not do any harm
>     though.
>     - you can address the attribute as "costCenter", because it's
>     implicitly stored in that "variable" as it is declared as source
>     attribute
>
>     Hope this helps you with designing your mappings.
>
>     Regards,
>     Ivan
>
>     ------------------------------------------------------------------------
>
>         *From: *"Jason Everling" <jeverling at bshp.edu
>         <mailto:jeverling at bshp.edu>>
>         *To: *"midPoint General Discussion"
>         <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
>         *Sent: *Thursday, November 6, 2014 6:00:04 PM
>
>         *Subject: *Re: [midPoint] Account Creation, Not Being created
>         in AD
>
>         Oh Ok thanks,
>
>         Can you look at this and make sure it is correct, if you look
>         at the CSV User template I had sent I had a condition for each
>         program, I did some more digging on github and found a sample
>         similar to this,
>
>         Would the below work instead of all the conditions for mapping, 
>
>         <mapping>
>         <source>
>         <path>$user/costCenter</path>
>         </source>
>         <source>
>         <path>$user/organization</path>
>         </source>
>                <expression>
>                <script>
>                                       <code>
>         tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>         switch (basic.stringify(user.getCostCenter())) {
>         case 'ASGA':
>         tmpOU = 'OU=AAD,' + tmpOU
>         break
>         case 'AAD':
>         tmpOU = 'OU=AAD,' + tmpOU
>         break
>         case 'ASHIT':
>         tmpOU = 'OU=AAS HIT,' + tmpOU
>         break
>         case 'BSHM':
>         tmpOU = 'OU=BSHM,' + tmpOU
>         break
>         case 'BSN':
>         tmpOU = 'OU=BSN,' + tmpOU
>         break
>         case 'ASIM':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'CT':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'MRI':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'RT':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'VT':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'SO':
>         tmpOU = 'OU=DMIT,' + tmpOU
>         break
>         case 'PN':
>         tmpOU = 'OU=DPN,' + tmpOU
>         break
>         case 'ND':
>         tmpOU = 'OU=DPN,' + tmpOU
>         break
>         case 'ASGT':
>         tmpOU = 'OU=DST,' + tmpOU
>         break
>         case 'ST':
>         tmpOU = 'OU=DST,' + tmpOU
>         break
>         case 'VN':
>         tmpOU = 'OU=DVN,' + tmpOU
>         break
>         case 'GEN':
>         tmpOU = 'OU=GENED,' + tmpOU
>         break
>         case 'LVRN':
>         tmpOU = 'OU=LVRN,' + tmpOU
>         break
>         case 'PO':
>         tmpOU = 'OU=PNP,' + tmpOU
>         break
>         default:
>         tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>         }
>         return tmpOU
>                             </code>
>                         </script>
>                </expression>
>             <target>
>             <path>organization</path>
>             </target>
>         </mapping>
>
>         On Thu, Nov 6, 2014 at 10:36 AM, Ivan Noris
>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
>             Hi Jason,
>
>             it seems you've hit a bug. I've replicated it on midPoint
>             master.
>
>             The issue is now being investigated by our developers in
>             order to fix it. I will drop a message to the list when
>             it's resolved.
>
>             Regards,
>             Ivan
>
>
>             On 11/05/2014 03:13 PM, Jason Everling wrote:
>
>                 So the role that gets assigned is nothing special, I
>                 just created a new role in the GUI and added the
>                 inducement for AD Resource. Eventually I will change
>                 the permissions on the roles to match what they need
>                 to be in production.
>
>                 I attached the AD Resource and AD User Template,
>
>                 JASON
>
>                 On Wed, Nov 5, 2014 at 3:17 AM, Ivan Noris
>                 <Ivan.Noris at evolveum.com
>                 <mailto:Ivan.Noris at evolveum.com>> wrote:
>
>                     Hi Jason,
>
>                     yes I think it's somehow depending on the fact
>                     that you are generating username.
>
>                     Can you please share details how AD accounts are
>                     constructed from the midpoint's username? What
>                     attributes are depending on user/name? DN?
>                     sAMAccountName? ... ?
>                     Also, could you send the role definition? I have
>                     some conditional roles that are assigned to user,
>                     but don't do anything if the condition is false.
>                     Which resembles your situation...
>
>                     BTW it's really strange for me so far. I'd expect
>                     at least some exception...
>
>                     Thanks,
>                     regards,
>                     Ivan
>
>                     ------------------------------------------------------------------------
>
>                         *From: *"Jason Everling" <jeverling at bshp.edu
>                         <mailto:jeverling at bshp.edu>>
>                         *To: *"midPoint General Discussion"
>                         <midpoint at lists.evolveum.com
>                         <mailto:midpoint at lists.evolveum.com>>
>                         *Sent: *Tuesday, November 4, 2014 5:19:31 PM
>                         *Subject: *Re: [midPoint] Account Creation,
>                         Not Being created in AD
>
>
>                         So yes, those are from today but instead of
>                         digging through to yesterday I just added a
>                         new line to the CSV feed, so new
>                         firstname,lastname, employeeID so that it
>                         would create a new account.
>
>                         I actually added 3 new lines to the CSV and
>                         all 3 get created in Midpoint, Role Assigned
>                         with AD inducement, and Org Assigned, the AD
>                         account never gets created though until I
>                         modify the account in Midpoint.
>
>                         That is the only log entry I get when the CSV
>                         feed is updated and new account is created in
>                         Midpoint,
>
>                         Using Midpoint 3.0
>
>                         Version 	3.0
>                         Git describe 	git-v3.0
>
>
>                         If I remove the username generation and add a
>                         username attribute to the CSV feed it works as
>                         expected, this is just when generating the
>                         username, is it maybe because the role is
>                         getting assigned before Midpoint has time to
>                         generate the username and such?
>
>                         Jason
>
>                         On Tue, Nov 4, 2014 at 9:57 AM, Ivan Noris
>                         <ivan.noris at evolveum.com
>                         <mailto:ivan.noris at evolveum.com>> wrote:
>
>                             Hi Jason,
>
>                             just to be sure: these error messages have
>                             timestamp from today; but you've reported
>                             your problem to the list yesterday.
>
>                             Could you please:
>
>                             1) double check that the log is the
>                             correct one / or find the (supposed) error
>                             messages in previously rotated log (stored
>                             in the same directory as idm.log, but the
>                             name derived from the date..)
>                             2) replicate the issue and send current
>                             idm.log fragment
>
>                             The messages referenced here are ok = we
>                             don't see anything yet.
>
>                             Also please, what version of midPoint are
>                             you using..?
>
>                             Thanks,
>                             regards,
>                             Ivan
>
>
>                             On 11/04/2014 03:25 PM, Jason Everling wrote:
>
>                                 I added a new line to the CSV so it
>                                 could create a new user, it gets
>                                 created in Midpoint and the role and
>                                 org assigned, the only item in the log
>                                 that stands out is,
>
>                                 2014-11-04 08:22:11,914 [PROVISIONING]
>                                 [midPointScheduler_Worker-2] WARN
>                                 (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter):
>                                 The resource: SonisWeb-Generate
>                                 (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa)
>                                 does not provide definition for null
>                                 value of simulated activation attribute
>
>                                 There is no other errors besides that,
>
>                                 2014-11-04 08:09:00,859 [REPOSITORY]
>                                 [midPointScheduler_Worker-6] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:09:29,824 [REPOSITORY]
>                                 [midPointScheduler_Worker-3] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:12:20,134 [REPOSITORY]
>                                 [midPointScheduler_Worker-3] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:12:20,247 [REPOSITORY]
>                                 [midPointScheduler_Worker-9] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:14:00,397 [REPOSITORY]
>                                 [midPointScheduler_Worker-9] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:00,465 [REPOSITORY]
>                                 [midPointScheduler_Worker-3] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:06,150 [REPOSITORY]
>                                 [midPointScheduler_Worker-2] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:06,271 [REPOSITORY]
>                                 [midPointScheduler_Worker-2] INFO
>                                 (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>                                 HHH000010: On release of batch it
>                                 still contained JDBC statements
>                                 2014-11-04 08:22:11,914 [PROVISIONING]
>                                 [midPointScheduler_Worker-2] WARN
>                                 (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter):
>                                 The resource: SonisWeb-Generate
>                                 (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa)
>                                 does not provide definition for null
>                                 value of simulated activation attribute
>
>                                 On Tue, Nov 4, 2014 at 1:17 AM, Ivan
>                                 Noris <Ivan.Noris at evolveum.com
>                                 <mailto:Ivan.Noris at evolveum.com>> wrote:
>
>                                     Jason,
>
>                                     could you please check error
>                                     messages from idm.log from the
>                                     time of the supposed creation?
>
>                                     Thanks,
>                                     Ivan
>
>                                     ------------------------------------------------------------------------
>
>                                         *From: *"Jason Everling"
>                                         <jeverling at bshp.edu
>                                         <mailto:jeverling at bshp.edu>>
>                                         *To: *"midPoint General
>                                         Discussion"
>                                         <midpoint at lists.evolveum.com
>                                         <mailto:midpoint at lists.evolveum.com>>
>                                         *Sent: *Monday, November 3,
>                                         2014 11:50:06 PM
>                                         *Subject: *[midPoint] Account
>                                         Creation, Not Being created in AD
>
>
>                                         So my director wanted to see
>                                         it fully automated so all I
>                                         basically had to do was modify
>                                         the CSV resource to generate
>                                         the usernames and email
>                                         addresses, done, this works.
>
>                                         The account gets created in
>                                         Midpoint from the CSV, gets an
>                                         Org assigned and gets a Role
>                                         assigned. The role has an
>                                         inducement for active
>                                         directory but even though the
>                                         account gets the role assigned
>                                         an account in AD does not get
>                                         created. Now if I modify the
>                                         user in midpoint, lets say
>                                         just change a letter in the
>                                         personal email address field
>                                         the AD account creation kicks off.
>
>                                         I cannot seem to figure out
>                                         why the AD account does not
>                                         get created even though it
>                                         gets the role assigned and
>                                         before I changed it to create
>                                         the usernames it was creating
>                                         those accounts in AD.
>
>                                         I attached the CSV Resource
>                                         and the CSV Template that is
>                                         being used,
>
>                                         Thanks,
>                                         JASON
>
>
>
>
>
>                                         CONFIDENTIALITY NOTICE:
>                                         This e-mail together with any
>                                         attachments is proprietary and
>                                         confidential; intended for
>                                         only the recipient(s) named
>                                         above and may contain
>                                         information that is
>                                         privileged. You should not
>                                         retain, copy or use this
>                                         e-mail or any attachments for
>                                         any purpose, or disclose all
>                                         or any part of the contents to
>                                         any person. Any views or
>                                         opinions expressed in this
>                                         e-mail are those of the author
>                                         and do not represent those of
>                                         the Baptist School of Health
>                                         Professions. If you have
>                                         received this e-mail in error,
>                                         or are not the named
>                                         recipient(s), you are hereby
>                                         notified that any review,
>                                         dissemination, distribution or
>                                         copying of this communication
>                                         is prohibited by the sender
>                                         and to do so might constitute
>                                         a violation of the Electronic
>                                         Communications Privacy Act, 18
>                                         U.S.C. section 2510-2521.
>                                         Please immediately notify the
>                                         sender and delete this e-mail
>                                         and any attachments from your
>                                         computer.
>
>                                         _______________________________________________
>                                         midPoint mailing list
>                                         midPoint at lists.evolveum.com
>                                         <mailto:midPoint at lists.evolveum.com>
>                                         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>                                     -- 
>                                       Ing. Ivan Noris
>                                       Senior Identity Management Engineer
>                                       evolveum.com <http://evolveum.com>
>                                       ___________________________________________
>                                                "Idem per idem - semper
>                                     idem Vix."
>
>                                     _______________________________________________
>                                     midPoint mailing list
>                                     midPoint at lists.evolveum.com
>                                     <mailto:midPoint at lists.evolveum.com>
>                                     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>                                 CONFIDENTIALITY NOTICE:
>                                 This e-mail together with any
>                                 attachments is proprietary and
>                                 confidential; intended for only the
>                                 recipient(s) named above and may
>                                 contain information that is
>                                 privileged. You should not retain,
>                                 copy or use this e-mail or any
>                                 attachments for any purpose, or
>                                 disclose all or any part of the
>                                 contents to any person. Any views or
>                                 opinions expressed in this e-mail are
>                                 those of the author and do not
>                                 represent those of the Baptist School
>                                 of Health Professions. If you have
>                                 received this e-mail in error, or are
>                                 not the named recipient(s), you are
>                                 hereby notified that any review,
>                                 dissemination, distribution or copying
>                                 of this communication is prohibited by
>                                 the sender and to do so might
>                                 constitute a violation of the
>                                 Electronic Communications Privacy Act,
>                                 18 U.S.C. section 2510-2521. Please
>                                 immediately notify the sender and
>                                 delete this e-mail and any attachments
>                                 from your computer.
>
>
>                                 _______________________________________________
>                                 midPoint mailing list
>                                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>                                 http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>                             -- 
>                               Ing. Ivan Noris
>                               Senior Identity Management Engineer
>                               evolveum.com <http://evolveum.com>
>                               ___________________________________________
>                                        "Idem per idem - semper idem Vix."
>
>
>                             _______________________________________________
>                             midPoint mailing list
>                             midPoint at lists.evolveum.com
>                             <mailto:midPoint at lists.evolveum.com>
>                             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>                         CONFIDENTIALITY NOTICE:
>                         This e-mail together with any attachments is
>                         proprietary and confidential; intended for
>                         only the recipient(s) named above and may
>                         contain information that is privileged. You
>                         should not retain, copy or use this e-mail or
>                         any attachments for any purpose, or disclose
>                         all or any part of the contents to any person.
>                         Any views or opinions expressed in this e-mail
>                         are those of the author and do not represent
>                         those of the Baptist School of Health
>                         Professions. If you have received this e-mail
>                         in error, or are not the named recipient(s),
>                         you are hereby notified that any review,
>                         dissemination, distribution or copying of this
>                         communication is prohibited by the sender and
>                         to do so might constitute a violation of the
>                         Electronic Communications Privacy Act, 18
>                         U.S.C. section 2510-2521. Please immediately
>                         notify the sender and delete this e-mail and
>                         any attachments from your computer.
>
>                         _______________________________________________
>                         midPoint mailing list
>                         midPoint at lists.evolveum.com
>                         <mailto:midPoint at lists.evolveum.com>
>                         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>                     -- 
>                       Ing. Ivan Noris
>                       Senior Identity Management Engineer
>                       evolveum.com <http://evolveum.com>
>                       ___________________________________________
>                                "Idem per idem - semper idem Vix."
>
>                     _______________________________________________
>                     midPoint mailing list
>                     midPoint at lists.evolveum.com
>                     <mailto:midPoint at lists.evolveum.com>
>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>                 CONFIDENTIALITY NOTICE:
>                 This e-mail together with any attachments is
>                 proprietary and confidential; intended for only the
>                 recipient(s) named above and may contain information
>                 that is privileged. You should not retain, copy or use
>                 this e-mail or any attachments for any purpose, or
>                 disclose all or any part of the contents to any
>                 person. Any views or opinions expressed in this e-mail
>                 are those of the author and do not represent those of
>                 the Baptist School of Health Professions. If you have
>                 received this e-mail in error, or are not the named
>                 recipient(s), you are hereby notified that any review,
>                 dissemination, distribution or copying of this
>                 communication is prohibited by the sender and to do so
>                 might constitute a violation of the Electronic
>                 Communications Privacy Act, 18 U.S.C. section
>                 2510-2521. Please immediately notify the sender and
>                 delete this e-mail and any attachments from your
>                 computer.
>
>
>                 _______________________________________________
>                 midPoint mailing list
>                 midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>             -- 
>               Ing. Ivan Noris
>               Senior Identity Management Engineer
>               evolveum.com <http://evolveum.com>
>               ___________________________________________
>                        "Idem per idem - semper idem Vix."
>
>
>             _______________________________________________
>             midPoint mailing list
>             midPoint at lists.evolveum.com
>             <mailto:midPoint at lists.evolveum.com>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>         CONFIDENTIALITY NOTICE:
>         This e-mail together with any attachments is proprietary and
>         confidential; intended for only the recipient(s) named above
>         and may contain information that is privileged. You should not
>         retain, copy or use this e-mail or any attachments for any
>         purpose, or disclose all or any part of the contents to any
>         person. Any views or opinions expressed in this e-mail are
>         those of the author and do not represent those of the Baptist
>         School of Health Professions. If you have received this e-mail
>         in error, or are not the named recipient(s), you are hereby
>         notified that any review, dissemination, distribution or
>         copying of this communication is prohibited by the sender and
>         to do so might constitute a violation of the Electronic
>         Communications Privacy Act, 18 U.S.C. section 2510-2521.
>         Please immediately notify the sender and delete this e-mail
>         and any attachments from your computer.
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>
>       ___________________________________________
>                "Idem per idem - semper idem Vix."
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/449574ba/attachment.htm>


More information about the midPoint mailing list