[midPoint] Account Creation, Not Being created in AD

Jason Everling jeverling at bshp.edu
Fri Dec 5 16:13:01 CET 2014


Ok thanks for the update!

JASON

On Fri, Dec 5, 2014 at 2:10 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Jason,
>
> I've just tried the original iterator (User in midPoint) problem and it
> seems to be fixed in git-v3.0.1devel-703-g8c40b63.
>
> I've tested with LiveSync CSV sample from you, used user template either
> referenced from the unmatched action or global template. Username is
> generated in midPoint:
>
> (username - fullname)
> cypecienka - Cyrus Pecienka
> cypecienka2 - Cyrusov Pecienka
> cypecienka3 - Cyril Pecienka
> cypecienka4 - Cyrhoza Pecienka
>
> Please retest it once after you upgrade to 3.1 or the master snapshot.
> Thank you.
>
> Regards,
> Ivan
>
>
> On 11/07/2014 04:23 PM, Jason Everling wrote:
>
> Thanks, it is working, like you said, will be easier to manage in the long
> run! Keep me posted on the bug fix,
>
>  For now, I am just cleaning up objects and playing with other functions,
>
>  JASON
>
> On Fri, Nov 7, 2014 at 2:56 AM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>>  yes you can use switch in one mapping instead of having many mappings -
>> I'm using it very often. It will be more simple to maintain.
>>
>>  Just be sure to pass all required attributes as source. In your case,
>> organization does not have to be source attribute, because you are not
>> referencing it in the mapping expression
>>  nor conditions.
>>
>>  You can further simplify the switch statement as:
>>
>>  switch (*costCenter*) {
>> . . .
>>
>>  - no basic.stringify() is needed, because the attribute type is String
>> and not Polystring. Having it there would not do any harm though.
>>  - you can address the attribute as "costCenter", because it's
>> implicitly stored in that "variable" as it is declared as source attribute
>>
>>  Hope this helps you with designing your mappings.
>>
>>  Regards,
>>  Ivan
>>
>>  ------------------------------
>>
>> *From: *"Jason Everling" <jeverling at bshp.edu>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Thursday, November 6, 2014 6:00:04 PM
>>
>> *Subject: *Re: [midPoint] Account Creation, Not Being created in AD
>>
>>  Oh Ok thanks,
>>
>>  Can you look at this and make sure it is correct, if you look at the
>> CSV User template I had sent I had a condition for each program, I did some
>> more digging on github and found a sample similar to this,
>>
>>  Would the below work instead of all the conditions for mapping,
>>
>>   <mapping>
>>  <source>
>>  <path>$user/costCenter</path>
>>  </source>
>>  <source>
>>  <path>$user/organization</path>
>>  </source>
>>         <expression>
>>         <script>
>>                               <code>
>>  tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>  switch (basic.stringify(user.getCostCenter())) {
>>  case 'ASGA':
>>  tmpOU = 'OU=AAD,' + tmpOU
>>  break
>>  case 'AAD':
>>  tmpOU = 'OU=AAD,' + tmpOU
>>  break
>>  case 'ASHIT':
>>  tmpOU = 'OU=AAS HIT,' + tmpOU
>>  break
>>  case 'BSHM':
>>  tmpOU = 'OU=BSHM,' + tmpOU
>>  break
>>  case 'BSN':
>>  tmpOU = 'OU=BSN,' + tmpOU
>>  break
>>  case 'ASIM':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'CT':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'MRI':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'RT':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'VT':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'SO':
>>  tmpOU = 'OU=DMIT,' + tmpOU
>>  break
>>  case 'PN':
>>  tmpOU = 'OU=DPN,' + tmpOU
>>  break
>>  case 'ND':
>>  tmpOU = 'OU=DPN,' + tmpOU
>>  break
>>  case 'ASGT':
>>  tmpOU = 'OU=DST,' + tmpOU
>>  break
>>  case 'ST':
>>  tmpOU = 'OU=DST,' + tmpOU
>>  break
>>  case 'VN':
>>  tmpOU = 'OU=DVN,' + tmpOU
>>  break
>>  case 'GEN':
>>  tmpOU = 'OU=GENED,' + tmpOU
>>  break
>>  case 'LVRN':
>>  tmpOU = 'OU=LVRN,' + tmpOU
>>  break
>>  case 'PO':
>>  tmpOU = 'OU=PNP,' + tmpOU
>>  break
>>  default:
>>  tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>  }
>>  return tmpOU
>>                     </code>
>>                 </script>
>>         </expression>
>>     <target>
>>     <path>organization</path>
>>     </target>
>>  </mapping>
>>
>> On Thu, Nov 6, 2014 at 10:36 AM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi Jason,
>>>
>>> it seems you've hit a bug. I've replicated it on midPoint master.
>>>
>>> The issue is now being investigated by our developers in order to fix
>>> it. I will drop a message to the list when it's resolved.
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 11/05/2014 03:13 PM, Jason Everling wrote:
>>>
>>> So the role that gets assigned is nothing special, I just created a new
>>> role in the GUI and added the inducement for AD Resource. Eventually I will
>>> change the permissions on the roles to match what they need to be in
>>> production.
>>>
>>>  I attached the AD Resource and AD User Template,
>>>
>>>  JASON
>>>
>>> On Wed, Nov 5, 2014 at 3:17 AM, Ivan Noris <Ivan.Noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>>  yes I think it's somehow depending on the fact that you are
>>>> generating username.
>>>>
>>>>  Can you please share details how AD accounts are constructed from the
>>>> midpoint's username? What attributes are depending on user/name? DN?
>>>> sAMAccountName? ... ?
>>>>  Also, could you send the role definition? I have some conditional
>>>> roles that are assigned to user, but don't do anything if the condition is
>>>> false. Which resembles your situation...
>>>>
>>>>  BTW it's really strange for me so far. I'd expect at least some
>>>> exception...
>>>>
>>>>  Thanks,
>>>>  regards,
>>>>  Ivan
>>>>
>>>>  ------------------------------
>>>>
>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>> *Sent: *Tuesday, November 4, 2014 5:19:31 PM
>>>> *Subject: *Re: [midPoint] Account Creation, Not Being created in AD
>>>>
>>>>
>>>>  So yes, those are from today but instead of digging through to
>>>> yesterday I just added a new line to the CSV feed, so new
>>>> firstname,lastname, employeeID so that it would create a new account.
>>>>
>>>>  I actually added 3 new lines to the CSV and all 3 get created in
>>>> Midpoint, Role Assigned with AD inducement, and Org Assigned, the AD
>>>> account never gets created though until I modify the account in Midpoint.
>>>>
>>>>  That is the only log entry I get when the CSV feed is updated and new
>>>> account is created in Midpoint,
>>>>
>>>>  Using Midpoint 3.0
>>>>
>>>>     Version 3.0  Git describe git-v3.0
>>>>  If I remove the username generation and add a username attribute to
>>>> the CSV feed it works as expected, this is just when generating the
>>>> username, is it maybe because the role is getting assigned before Midpoint
>>>> has time to generate the username and such?
>>>>
>>>>  Jason
>>>>
>>>> On Tue, Nov 4, 2014 at 9:57 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> just to be sure: these error messages have timestamp from today; but
>>>>> you've reported your problem to the list yesterday.
>>>>>
>>>>> Could you please:
>>>>>
>>>>> 1) double check that the log is the correct one / or find the
>>>>> (supposed) error messages in previously rotated log (stored in the same
>>>>> directory as idm.log, but the name derived from the date..)
>>>>> 2) replicate the issue and send current idm.log fragment
>>>>>
>>>>> The messages referenced here are ok = we don't see anything yet.
>>>>>
>>>>> Also please, what version of midPoint are you using..?
>>>>>
>>>>> Thanks,
>>>>> regards,
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 11/04/2014 03:25 PM, Jason Everling wrote:
>>>>>
>>>>> I added a new line to the CSV so it could create a new user, it gets
>>>>> created in Midpoint and the role and org assigned, the only item in the log
>>>>> that stands out is,
>>>>>
>>>>>  2014-11-04 08:22:11,914 [PROVISIONING] [midPointScheduler_Worker-2]
>>>>> WARN (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter): The
>>>>> resource: SonisWeb-Generate (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa) does
>>>>> not provide definition for null value of simulated activation attribute
>>>>>
>>>>>  There is no other errors besides that,
>>>>>
>>>>>  2014-11-04 08:09:00,859 [REPOSITORY] [midPointScheduler_Worker-6]
>>>>> INFO (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
>>>>> HHH000010: On release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:09:29,824 [REPOSITORY] [midPointScheduler_Worker-3] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:12:20,134 [REPOSITORY] [midPointScheduler_Worker-3] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:12:20,247 [REPOSITORY] [midPointScheduler_Worker-9] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:14:00,397 [REPOSITORY] [midPointScheduler_Worker-9] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:00,465 [REPOSITORY] [midPointScheduler_Worker-3] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:06,150 [REPOSITORY] [midPointScheduler_Worker-2] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:06,271 [REPOSITORY] [midPointScheduler_Worker-2] INFO
>>>>> (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl): HHH000010: On
>>>>> release of batch it still contained JDBC statements
>>>>> 2014-11-04 08:22:11,914 [PROVISIONING] [midPointScheduler_Worker-2]
>>>>> WARN (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter): The
>>>>> resource: SonisWeb-Generate (OID:af2bc95b-76e0-48e2-86d6-3d4f02d3fafa) does
>>>>> not provide definition for null value of simulated activation attribute
>>>>>
>>>>> On Tue, Nov 4, 2014 at 1:17 AM, Ivan Noris <Ivan.Noris at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>>  Jason,
>>>>>>
>>>>>>  could you please check error messages from idm.log from the time of
>>>>>> the supposed creation?
>>>>>>
>>>>>>  Thanks,
>>>>>>  Ivan
>>>>>>
>>>>>>  ------------------------------
>>>>>>
>>>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>>>> *Sent: *Monday, November 3, 2014 11:50:06 PM
>>>>>> *Subject: *[midPoint] Account Creation, Not Being created in AD
>>>>>>
>>>>>>
>>>>>>  So my director wanted to see it fully automated so all I basically
>>>>>> had to do was modify the CSV resource to generate the usernames and email
>>>>>> addresses, done, this works.
>>>>>>
>>>>>>  The account gets created in Midpoint from the CSV, gets an Org
>>>>>> assigned and gets a Role assigned. The role has an inducement for active
>>>>>> directory but even though the account gets the role assigned an account in
>>>>>> AD does not get created. Now if I modify the user in midpoint, lets say
>>>>>> just change a letter in the personal email address field the AD account
>>>>>> creation kicks off.
>>>>>>
>>>>>>  I cannot seem to figure out why the AD account does not get created
>>>>>> even though it gets the role assigned and before I changed it to create the
>>>>>> usernames it was creating those accounts in AD.
>>>>>>
>>>>>>  I attached the CSV Resource and the CSV Template that is being used,
>>>>>>
>>>>>>  Thanks,
>>>>>> JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>   CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>  _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>  --
>>>>>>    Ing. Ivan Noris
>>>>>>   Senior Identity Management Engineer
>>>>>>   evolveum.com
>>>>>>   ___________________________________________
>>>>>>            "Idem per idem - semper idem Vix."
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com
>>>>>   ___________________________________________
>>>>>            "Idem per idem - semper idem Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>  CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>  _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>  --
>>>>    Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com
>>>>   ___________________________________________
>>>>            "Idem per idem - semper idem Vix."
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com
>>>   ___________________________________________
>>>            "Idem per idem - semper idem Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>>  CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>  _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>  --
>>    Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com
>>   ___________________________________________
>>            "Idem per idem - semper idem Vix."
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141205/f08359ce/attachment.htm>


More information about the midPoint mailing list