[midPoint] AD DistinguishedName, Iteration Token not working
Ivan Noris
ivan.noris at evolveum.com
Wed Nov 19 10:47:34 CET 2014
For the record, this was my OpenDJ mapping (sorry for the namespaces,
this is from debug pages):
<attribute>
<ref
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</ref>
<displayName>Distinguished Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/givenName</c:path>
</source>
<source>
<c:path
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/familyName</c:path>
</source>
<expression>
<script>
<code>
'uid=' + givenName + ' ' + familyName +
iterationToken + ',ou=people,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
. . .
<iteration>
<maxIterations>5</maxIterations>
</iteration>
. . .
The users in midPoint are named johnsmith, johnsmith2, johnsmith3 and
their account in OpenDJ were:
uid=John Smith,ou=people,dc=example,dc=com
uid=John Smith1,ou=people,dc=example,dc=com
uid=John Smith2,ou=people,dc=example,dc=com
(the iterator counts from nothing, then 1, 2 etc.)
Ivan
On 11/19/2014 10:35 AM, Pavol Mederly wrote:
> Hello Jason,
>
> one possible cause could be if AD connector (in your case) would not
> correctly determine "AlreadyExists" situation. The connector is able
> to do that (it is implemented in it and we've tested it many times)
> but one never knows...
>
> What version of AD connector do you use?
> Could you share all parts of logs of the Connector Server related to
> creation of "LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
> Students,DC=TEST,DC=LOCAL" ?
>
> Thank you,
> Pavol
>
> On 18. 11. 2014 22:21, Jason Everling wrote:
>> I have been doing some other testing and it seems when the user has
>> the same firstname lastname the account will fail to create on active
>> directory. I double-checked the code throughout github and it seems
>> correct but I get the error which even shows that it is not adding
>> the iterationToken to the end of the lastname like it should from the
>> code,
>>
>> <attribute>
>> <ref>icfs:name</ref>
>> <displayName>Distinguished Name</displayName>
>> <limitations>
>> <minOccurs>0</minOccurs>
>> <access>
>> <read>true</read>
>> <add>true</add>
>> <modify>true</modify>
>> </access>
>> </limitations>
>> <outbound>
>> <source>
>> <path>$user/givenName</path>
>> </source>
>> <source>
>> <path>$user/familyName</path>
>> </source>
>> <source>
>> <path>$user/organization</path>
>> </source>
>> <expression>
>> <script>
>> <code>
>> 'cn='+givenName+' '+familyName+iterationToken+' ,'+organization+''
>> </code>
>> </script>
>> </expression>
>> </outbound>
>> </attribute>
>>
>> In there error blow it should be using the persons iterator which is
>> 2 so it should be trying to create it as
>> LDAP://dc1.test.local/cn=Tammy Smith2 ,OU=AAD,OU=SHP
>> Students,DC=TEST,DC=LOCAL but it is not.
>>
>> 2014-11-18 15:08:45,314 [MODEL] [http-bio-8080-exec-68] ERROR
>> (com.evolveum.midpoint.model.impl.lens.ChangeExecutor): Error
>> executing changes for (account (default) on
>> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory:
>> Office 365, Google Apps, Moodle)): Can't process shadow: null
>> (OID:null): Generic error in connector:
>> org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
>> object already exists.
>> : when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
>> Students,DC=TEST,DC=LOCAL)
>> com.evolveum.midpoint.util.exception.CommunicationException: Can't
>> process shadow: null (OID:null): Generic error in connector:
>> org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
>> object already exists.
>> : when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
>> Students,DC=TEST,DC=LOCAL)
>>
>> Thanks,
>> JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy
>> or use this e-mail or any attachments for any purpose, or disclose
>> all or any part of the contents to any person. Any views or opinions
>> expressed in this e-mail are those of the author and do not represent
>> those of the Baptist School of Health Professions. If you have
>> received this e-mail in error, or are not the named recipient(s), you
>> are hereby notified that any review, dissemination, distribution or
>> copying of this communication is prohibited by the sender and to do
>> so might constitute a violation of the Electronic Communications
>> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify
>> the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com
___________________________________________
"Idem per idem - semper idem Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141119/1a5cd9fa/attachment.htm>
More information about the midPoint
mailing list