[midPoint] AD DistinguishedName, Iteration Token not working

Jason Everling jeverling at bshp.edu
Wed Nov 19 16:16:10 CET 2014


Just on a side note, the username from the db table source gets created
correctly with the iteration token, it is just not applying the iteration
token when building the DN for AD.

>From Midpoint,

<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="e1d01bf9-4188-4ae2-9d7b-907b72649478"
      version="4">
   <name>tasmith2</name>
   <extension>
      <gen148:otherMailbox xmlns:gen148="http://whatever.com/my">
tammy at gaail.com</gen148:otherMailbox>
      <gen148:eduPersonAffiliation xmlns:gen148="http://whatever.com/my
">student</gen148:eduPersonAffiliation>
   </extension>
   <metadata>
      <createTimestamp>2014-11-18T14:55:42.735-06:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002"
type="UserType"/>
      <createChannel>
http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
</createChannel>
      <modifyTimestamp>2014-11-19T09:10:14.545-06:00</modifyTimestamp>
      <modifierRef xmlns:tns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                   oid="00000000-0000-0000-0000-000000000002"
                   type="tns:UserType"/>
      <modifyChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
</modifyChannel>
   </metadata>
   <linkRef oid="559bb816-c6ae-409c-904c-7e963e74caa8" type="ShadowType"/>
   <linkRef oid="56fda065-f55d-489a-95d0-1d664ccb9ab4" type="ShadowType"/>
   <assignment id="1">
      <targetRef xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="f6f68a1d-313e-4fa4-af32-96219476d4ea"
                 type="c:OrgType"/>
   </assignment>
   <assignment id="2">
      <targetRef xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                 oid="ebdf7b91-79af-4a49-9255-f0baa51f9c2b"
                 type="c:RoleType"/>
   </assignment>
   <activation>
      <administrativeStatus>enabled</administrativeStatus>
      <effectiveStatus>enabled</effectiveStatus>
      <disableTimestamp>2014-11-18T14:55:42.529-06:00</disableTimestamp>
      <enableTimestamp>2014-11-18T14:55:42.529-06:00</enableTimestamp>
   </activation>
   <iteration>1</iteration>
   <iterationToken>2</iterationToken>
   <fullName>Tammy Smith</fullName>
   <givenName>Tammy</givenName>
   <familyName>Smith</familyName>
   <locale>US</locale>
   <emailAddress>tasmith2 at bshp.edu</emailAddress>
   <employeeNumber>TS1246814</employeeNumber>
   <employeeType>A2S</employeeType>
   <costCenter>ASGA</costCenter>
   <organization>OU=AAD,OU=SHP Students,DC=TEST,DC=LOCAL</organization>
   <locality>San Antonio</locality>

JASON

On Wed, Nov 19, 2014 at 8:42 AM, Jason Everling <jeverling at bshp.edu> wrote:

> Going to try to get the information asked in here,
>
> Midpoint 3.0
> Connector 1.4.1.20257
> ConnID Server 1.4.0.76
>
> From resource:
>
>                 <attribute>
>                     <ref>icfs:name</ref>
>                     <displayName>Distinguished Name</displayName>
>                     <limitations>
>                         <minOccurs>0</minOccurs>
>                         <access>
>                             <read>true</read>
>                             <add>true</add>
>                             <modify>true</modify>
>                         </access>
>                     </limitations>
>                     <matchingRule>mr:stringIgnoreCase</matchingRule>
>                     <outbound>
>                         <source>
>                             <path>$user/givenName</path>
>                         </source>
>                         <source>
>                             <path>$user/familyName</path>
>                         </source>
>                         <source>
>                             <path>$user/organization</path>
>                         </source>
>                         <expression>
>                             <script>
>                                 <code>
> 'cn='+givenName+' '+familyName+iterationToken+','+organization+''
>                                 </code>
>                             </script>
>                         </expression>
>                     </outbound>
>                 </attribute>
>                 <iteration>
>                     <maxIterations>999</maxIterations>
>                 </iteration>
>
> The logs are below
>
> Logs from Conn Server:
> ConnectorServer.exe Error: 0 : Exception :
> Type:
> Org.IdentityConnectors.Framework.Common.Exceptions.AlreadyExistsException
> Message: The object already exists.
> : when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
> Students,DC=TEST,DC=LOCAL
> Source: FrameworkInternal
> Stacktrace:    at
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass
> oclass, ICollection`1 attributes, OperationOptions options) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line
> 280
>    at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass
> objectClass, ICollection`1 createAttributes, OperationOptions options) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 442
>    at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 247
>    at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
>    at
> Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line
> 1344
>    at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
>    at
> Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest
> request) in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line
> 626
>   Inner Exception :
>   Type: System.DirectoryServices.DirectoryServicesCOMException
>   Message: The object already exists.
>
>   Source: System.DirectoryServices
>   Stacktrace:    at System.DirectoryServices.DirectoryEntry.CommitChanges()
>    at
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass
> oclass, ICollection`1 attributes, OperationOptions options) in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line
> 200
>     DateTime=2014-11-18T21:08:43.4291442Z
> ConnectorServer.exe Information: 0 : Creating case insensitive filter
>     DateTime=2014-11-18T21:13:30.7504489Z
>
> On Wed, Nov 19, 2014 at 3:47 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  For the record, this was my OpenDJ mapping (sorry for the namespaces,
>> this is from debug pages):
>>
>>          <attribute>
>>             <ref xmlns:icfs=
>> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
>> >icfs:name</ref>
>>             <displayName>Distinguished Name</displayName>
>>             <limitations>
>>                <minOccurs>0</minOccurs>
>>                <access>
>>                   <read>true</read>
>>                   <add>true</add>
>>                   <modify>true</modify>
>>                </access>
>>             </limitations>
>>             <matchingRule xmlns:mr=
>> "http://prism.evolveum.com/xml/ns/public/matching-rule-3"
>> <http://prism.evolveum.com/xml/ns/public/matching-rule-3>
>> >mr:stringIgnoreCase</matchingRule>
>>             <outbound>
>>                <source>
>>                   <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >$user/givenName</c:path>
>>                </source>
>>                <source>
>>                   <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >$user/familyName</c:path>
>>                </source>
>>                <expression>
>>                   <script>
>>                      <code>
>>                                 'uid=' + givenName + ' ' + familyName +
>> iterationToken + ',ou=people,dc=example,dc=com'
>>                                 </code>
>>                   </script>
>>                </expression>
>>             </outbound>
>>          </attribute>
>> . . .
>>          <iteration>
>>             <maxIterations>5</maxIterations>
>>          </iteration>
>> . . .
>>
>> The users in midPoint are named johnsmith, johnsmith2, johnsmith3 and
>> their account in OpenDJ were:
>>
>> uid=John Smith,ou=people,dc=example,dc=com
>> uid=John Smith1,ou=people,dc=example,dc=com
>> uid=John Smith2,ou=people,dc=example,dc=com
>>
>> (the iterator counts from nothing, then 1, 2 etc.)
>>
>> Ivan
>>
>>
>>
>>
>> On 11/19/2014 10:35 AM, Pavol Mederly wrote:
>>
>> Hello Jason,
>>
>> one possible cause could be if AD connector (in your case) would not
>> correctly determine "AlreadyExists" situation. The connector is able to do
>> that (it is implemented in it and we've tested it many times) but one never
>> knows...
>>
>> What version of AD connector do you use?
>> Could you share all parts of logs of the Connector Server related to
>> creation of "LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
>> Students,DC=TEST,DC=LOCAL" ?
>>
>> Thank you,
>> Pavol
>>
>> On 18. 11. 2014 22:21, Jason Everling wrote:
>>
>> I have been doing some other testing and it seems when the user has the
>> same firstname lastname the account will fail to create on active
>> directory. I double-checked the code throughout github and it seems correct
>> but I get the error which even shows that it is not adding the
>> iterationToken to the end of the lastname like it should from the code,
>>
>>                  <attribute>
>>                     <ref>icfs:name</ref>
>>                     <displayName>Distinguished Name</displayName>
>>                     <limitations>
>>                         <minOccurs>0</minOccurs>
>>                         <access>
>>                             <read>true</read>
>>                             <add>true</add>
>>                             <modify>true</modify>
>>                         </access>
>>                     </limitations>
>>                     <outbound>
>>                         <source>
>>                             <path>$user/givenName</path>
>>                         </source>
>>                         <source>
>>                             <path>$user/familyName</path>
>>                         </source>
>>                         <source>
>>                             <path>$user/organization</path>
>>                         </source>
>>                         <expression>
>>                             <script>
>>                                 <code>
>>  'cn='+givenName+' '+familyName+iterationToken+' ,'+organization+''
>>                                 </code>
>>                             </script>
>>                         </expression>
>>                     </outbound>
>>                 </attribute>
>>
>>  In there error blow it should be using the persons iterator which is 2
>> so it should be trying to create it as LDAP://dc1.test.local/cn=Tammy
>> Smith2 ,OU=AAD,OU=SHP Students,DC=TEST,DC=LOCAL but it is not.
>>
>>  2014-11-18 15:08:45,314 [MODEL] [http-bio-8080-exec-68] ERROR
>> (com.evolveum.midpoint.model.impl.lens.ChangeExecutor): Error executing
>> changes for (account (default) on
>> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef(Active Directory: Office
>> 365, Google Apps, Moodle)): Can't process shadow: null (OID:null): Generic
>> error in connector:
>> org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
>> object already exists.
>> : when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
>> Students,DC=TEST,DC=LOCAL)
>> com.evolveum.midpoint.util.exception.CommunicationException: Can't
>> process shadow: null (OID:null): Generic error in connector:
>> org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
>> object already exists.
>> : when creating LDAP://dc1.test.local/cn=Tammy Smith ,OU=AAD,OU=SHP
>> Students,DC=TEST,DC=LOCAL)
>>
>>  Thanks,
>>  JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com
>>   ___________________________________________
>>            "Idem per idem - semper idem Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141119/278865ac/attachment.htm>


More information about the midPoint mailing list