[midPoint] AD DistinguishedName, Iteration Token not working

Jason Everling jeverling at bshp.edu
Wed Nov 19 15:42:29 CET 2014


Going to try to get the information asked in here,

Midpoint 3.0
Connector 1.4.1.20257
ConnID Server 1.4.0.76

>From resource:

                <attribute>
                    <ref>icfs:name</ref>
                    <displayName>Distinguished Name</displayName>
                    <limitations>
                        <minOccurs>0</minOccurs>
                        <access>
                            <read>true</read>
                            <add>true</add>
                            <modify>true</modify>
                        </access>
                    </limitations>
                    <matchingRule>mr:stringIgnoreCase</matchingRule>
                    <outbound>
                        <source>
                            <path>$user/givenName</path>
                        </source>
                        <source>
                            <path>$user/familyName</path>
                        </source>
                        <source>
                            <path>$user/organization</path>
                        </source>
                        <expression>
                            <script>
                                <code>
'cn='+givenName+' '+familyName+iterationToken+','+organization+''
                                </code>
                            </script>
                        </expression>
                    </outbound>
                </attribute>
                <iteration>
                    <maxIterations>999</maxIterations>
                </iteration>

The logs are below

Logs from Conn Server:
ConnectorServer.exe Error: 0 : Exception :
Type:
Org.IdentityConnectors.Framework.Common.Exceptions.AlreadyExistsException
Message: The object already exists.
: when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
Students,DC=TEST,DC=LOCAL
Source: FrameworkInternal
Stacktrace:    at
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass
oclass, ICollection`1 attributes, OperationOptions options) in
d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line
280
   at
Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass
objectClass, ICollection`1 createAttributes, OperationOptions options) in
c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
442
   at
Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object
proxy, MethodInfo method, Object[] args) in
c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
247
   at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
   at
Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object
proxy, MethodInfo method, Object[] args) in
c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line
1344
   at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
   at
Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest
request) in
c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line
626
  Inner Exception :
  Type: System.DirectoryServices.DirectoryServicesCOMException
  Message: The object already exists.

  Source: System.DirectoryServices
  Stacktrace:    at System.DirectoryServices.DirectoryEntry.CommitChanges()
   at
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass
oclass, ICollection`1 attributes, OperationOptions options) in
d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line
200
    DateTime=2014-11-18T21:08:43.4291442Z
ConnectorServer.exe Information: 0 : Creating case insensitive filter
    DateTime=2014-11-18T21:13:30.7504489Z

On Wed, Nov 19, 2014 at 3:47 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  For the record, this was my OpenDJ mapping (sorry for the namespaces,
> this is from debug pages):
>
>          <attribute>
>             <ref xmlns:icfs=
> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
> >icfs:name</ref>
>             <displayName>Distinguished Name</displayName>
>             <limitations>
>                <minOccurs>0</minOccurs>
>                <access>
>                   <read>true</read>
>                   <add>true</add>
>                   <modify>true</modify>
>                </access>
>             </limitations>
>             <matchingRule xmlns:mr=
> "http://prism.evolveum.com/xml/ns/public/matching-rule-3"
> <http://prism.evolveum.com/xml/ns/public/matching-rule-3>
> >mr:stringIgnoreCase</matchingRule>
>             <outbound>
>                <source>
>                   <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >$user/givenName</c:path>
>                </source>
>                <source>
>                   <c:path xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >$user/familyName</c:path>
>                </source>
>                <expression>
>                   <script>
>                      <code>
>                                 'uid=' + givenName + ' ' + familyName +
> iterationToken + ',ou=people,dc=example,dc=com'
>                                 </code>
>                   </script>
>                </expression>
>             </outbound>
>          </attribute>
> . . .
>          <iteration>
>             <maxIterations>5</maxIterations>
>          </iteration>
> . . .
>
> The users in midPoint are named johnsmith, johnsmith2, johnsmith3 and
> their account in OpenDJ were:
>
> uid=John Smith,ou=people,dc=example,dc=com
> uid=John Smith1,ou=people,dc=example,dc=com
> uid=John Smith2,ou=people,dc=example,dc=com
>
> (the iterator counts from nothing, then 1, 2 etc.)
>
> Ivan
>
>
>
>
> On 11/19/2014 10:35 AM, Pavol Mederly wrote:
>
> Hello Jason,
>
> one possible cause could be if AD connector (in your case) would not
> correctly determine "AlreadyExists" situation. The connector is able to do
> that (it is implemented in it and we've tested it many times) but one never
> knows...
>
> What version of AD connector do you use?
> Could you share all parts of logs of the Connector Server related to
> creation of "LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
> Students,DC=TEST,DC=LOCAL" ?
>
> Thank you,
> Pavol
>
> On 18. 11. 2014 22:21, Jason Everling wrote:
>
> I have been doing some other testing and it seems when the user has the
> same firstname lastname the account will fail to create on active
> directory. I double-checked the code throughout github and it seems correct
> but I get the error which even shows that it is not adding the
> iterationToken to the end of the lastname like it should from the code,
>
>                  <attribute>
>                     <ref>icfs:name</ref>
>                     <displayName>Distinguished Name</displayName>
>                     <limitations>
>                         <minOccurs>0</minOccurs>
>                         <access>
>                             <read>true</read>
>                             <add>true</add>
>                             <modify>true</modify>
>                         </access>
>                     </limitations>
>                     <outbound>
>                         <source>
>                             <path>$user/givenName</path>
>                         </source>
>                         <source>
>                             <path>$user/familyName</path>
>                         </source>
>                         <source>
>                             <path>$user/organization</path>
>                         </source>
>                         <expression>
>                             <script>
>                                 <code>
>  'cn='+givenName+' '+familyName+iterationToken+' ,'+organization+''
>                                 </code>
>                             </script>
>                         </expression>
>                     </outbound>
>                 </attribute>
>
>  In there error blow it should be using the persons iterator which is 2
> so it should be trying to create it as LDAP://dc1.test.local/cn=Tammy
> Smith2 ,OU=AAD,OU=SHP Students,DC=TEST,DC=LOCAL but it is not.
>
>  2014-11-18 15:08:45,314 [MODEL] [http-bio-8080-exec-68] ERROR
> (com.evolveum.midpoint.model.impl.lens.ChangeExecutor): Error executing
> changes for (account (default) on
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
> 365, Google Apps, Moodle)): Can't process shadow: null (OID:null): Generic
> error in connector:
> org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
> object already exists.
> : when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
> Students,DC=TEST,DC=LOCAL)
> com.evolveum.midpoint.util.exception.CommunicationException: Can't process
> shadow: null (OID:null): Generic error in connector:
> org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
> object already exists.
> : when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
> Students,DC=TEST,DC=LOCAL)
>
>  Thanks,
>  JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com
>   ___________________________________________
>            "Idem per idem - semper idem Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141119/f617be03/attachment.htm>


More information about the midPoint mailing list