[midPoint] AD DistinguishedName, Iteration Token not working

Ivan Noris ivan.noris at evolveum.com
Fri Nov 21 22:22:27 CET 2014


Hi Jason,

this is  definitely strange. Please send the AD resource configuration
(without confidential info of course). I'll try to have a more complete
look at it...

What is the exact scenario? Are you creating the user from GUI, or from
external source (recon, livesync or import)? If so, can you try to
create the user from GUI?

Thank you,
regards,
Ivan


On 11/21/2014 06:24 PM, Jason Everling wrote:
> I upgraded to 3.0.1 this morning and it is still the same, it doesn't
> add the iteratorToken, it is almost as if it is using the displayName.
>
> I can keep using the + name + attribute or with what I tested today in
> the below
>
> Another I got around it is by creating a mapping to additionalName
> with iterationToken then changing the way the DN is built by just
> using the additionalName like
>
> 'CN=' + additionalName + ',' + organization + ''
>
>     <mapping>
>         <source>
>             <path>$user/givenName</path>
>         </source>
>         <source>
>             <path>$user/familyName</path>
>         </source>
>         <expression>
>             <script>
>                 <code>
>                     givenName + ' ' + familyName + iterationToken
>                 </code>
>             </script>
>         </expression>
>         <target>
>             <path>additionalName</path>
>         </target>
>     </mapping>
>
> JASON
>
> On Thu, Nov 20, 2014 at 1:52 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     it could also help if you can try the same with midPoint 3.0.1...
>
>     Regards,
>     Ivan
>
>
>     On 11/20/2014 06:13 PM, Jason Everling wrote:
>>     Ok thanks, for now until this is fixed just for my testing
>>     purposes I changed it from
>>
>>     'cn='+givenName+' '+familyName+iterationToken+','+organization+''
>>
>>     To
>>
>>     'CN='+name+','+organization+''
>>
>>     Which works since it uses the username instead of first/last and
>>     doesn't need the iterator, this might be the best way to go for
>>     us in the future, we never delete student accounts. just
>>     disabled, right now we have over 6000 disabled accounts in AD and
>>     in the future using first/last with iterator might get up to
>>     flastname54 which I am not sure we would like anyways.
>>
>>     JASON
>>
>>     On Wed, Nov 19, 2014 at 1:47 PM, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>         Hi Jason,
>>
>>
>>         > Just on a side note, the username from the db table source gets
>>         > created correctly with the iteration token, it is just not
>>         applying
>>         > the iteration token when building the DN for AD.
>>         >
>>
>>         So I recommend to wait for Pavol's resolution then. He's our
>>         primary AD
>>         connector specialist. From what you've written it _looks_ like AD
>>         connector specific issue. But it's strange as I've used the
>>         AD connector
>>         with iterator for even older midPoint versions - and it has
>>         worked.
>>
>>         I'd have another look at it too, just in case.
>>
>>         Regards,
>>         Ivan
>>
>>         --
>>           Ing. Ivan Noris
>>           Senior Identity Management Engineer
>>           evolveum.com <http://evolveum.com>
>>           ___________________________________________
>>                    "Idem per idem - semper idem Vix."
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>
>       ___________________________________________
>                "Idem per idem - semper idem Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141121/e806a9dd/attachment.htm>


More information about the midPoint mailing list