[midPoint] AD DistinguishedName, Iteration Token not working

Jason Everling jeverling at bshp.edu
Tue Nov 25 15:47:56 CET 2014


I see how it is not correct now after looking at the shadow account, it can
also have an iteration. Allthough for the user named in my test his
iteration is blank, maybe that is why the original code does not add a
token because none exists when it gets created as a shadow or when it would
be created.

   <iteration>0</iteration>
   <iterationToken/>

I will track the progress and adjust when the fixes are in place. I made a
note of this issue and the other issue for the CSV Username.

Thanks,
JASON



On Tue, Nov 25, 2014 at 8:23 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> it may be working, but it's not correct. The "user.getIterationToken()"
> will get the iterator from user, not the account.
>
> FYI it seems that we have replicated the behaviour, tracked as
> https://jira.evolveum.com/browse/MID-2102
>
> Regards,
> Ivan
>
>
> On 11/24/2014 05:28 PM, Jason Everling wrote:
>
> Awesome!!!
>
>  So this works, creates CN=Tim Hecks2,OU=AAD,OU=SHP
> Students,DC=TEST,DC=LOCAL
>
>      <script>
>         <language>
> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
> </language>
>         <code>
>             'cn=' + user.getFullName() + user.getIterationToken() + ',' +
> basic.stringify(user.getOrganization())
>         </code>
>     </script>
>
>  JASON
>
>
> On Mon, Nov 24, 2014 at 9:48 AM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Jason,
>>
>> I've tried to replicate the iterator problem with CSV (instead of AD) -
>> no success, it works.
>>
>> The scenario was: pick up changes from CSV (source); not generating
>> unique login in midPoint; automatically assigning role for AD (simulated by
>> CSV) where iteration token is used in icfs:name mapping.
>>
>> For source users "jacksparrow" (Jack Sparrow) and "jcksparrow" (also Jack
>> Sparrow) I got "jacksparrow" and "jcksparrow" in midPoint, and "cn=Jack
>> Sparrow,..." and "cn=Jack Sparrow1,..." in target AD (CSV).
>>
>> I will still try to replicate on real AD soon.
>>
>> As for the Groovy/mappings etc: I believe that
>> basic.stringify(user.getOrganization()) would fix the latter, but this just
>> has to work without such hacks, by using:
>>
>> <source>
>>   <path>$user/fullName</path>
>> </source>
>> <source>
>>   <path>$user/organization</path>
>> </source>
>>
>>  and using fullName / organization (and iterationToken) in the mappings
>> as before...
>> i.e.
>>
>>                     <outbound>
>>                         <source>
>>                             <path>$user/givenName</path>
>>                         </source>
>>                         <source>
>>                             <path>$user/familyName</path>
>>                         </source>
>>                          <source>
>>                             <path>$user/organization</path>
>>                         </source>
>>                         <expression>
>>                             <script>
>>                                 <code>
>>                                     'cn='+givenName+'
>> '+familyName+iterationToken+','+organization+''
>>                                  </code>
>>                             </script>
>>                         </expression>
>>                     </outbound>
>>                 </attribute>
>>                 <iteration>
>>                      <maxIterations>5</maxIterations>
>>                 </iteration>
>>
>> So this must be either strange misconfiguration or a bug. But as it seems
>> to work for CSV, I have to confirm it on real AD. It's just patching
>> itself, so I'll let you know after it's ready and tested.
>>
>> The issue with generating unique users in midPoint for liveSync is a bug,
>> being worked on.
>>
>> Regards,
>> Ivan
>>
>>
>> On 11/24/2014 04:30 PM, Jason Everling wrote:
>>
>> I got a little closer, tried Groovy and XPATH,
>>
>>  Using a Groovy expression, it picks up the iterationToken but I am
>> getting an error in the expressions, Groovy is new to me so here is the
>> code,
>>
>>          <code>
>>             "cn=" + user.getFullName() + user.getIterationToken() + "," +
>> user.getOrganization();
>>         </code>
>>
>>  When trying to add the account to midpoint, I am getting the below, you
>> can see the iterationToken was added but I dont think my code above is
>> correct
>>
>>   Attribute: {Name=__NAME__, Value=[cn=Tim Hecks2,[OU=AAD,OU=SHP
>> Students,DC=TEST,DC=LOCAL]]},
>>
>>  JASON
>>
>>
>> On Fri, Nov 21, 2014 at 5:41 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>>> I know so strange,
>>>
>>>  This is basically still the same setup, with the CSV resource how it
>>> is not creating the username on the AD resource when it is generating the
>>> username from this conversation
>>> http://lists.evolveum.com/pipermail/midpoint/2014-November/000576.html
>>>
>>>  I put it up on a temp repo to make it easier for you to pull what you
>>> want to look at, it has the latest changes I made using the additionalName
>>> mapping, you can add back the distinguishedName code that is on the samples
>>> github which is what I was using,
>>>
>>>  Here are the files,
>>> https://bitbucket.org/jason_everling/idm_midpoint-dev
>>>
>>>  JASON
>>>
>>> On Fri, Nov 21, 2014 at 3:22 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>>  Hi Jason,
>>>>
>>>> this is  definitely strange. Please send the AD resource configuration
>>>> (without confidential info of course). I'll try to have a more complete
>>>> look at it...
>>>>
>>>> What is the exact scenario? Are you creating the user from GUI, or from
>>>> external source (recon, livesync or import)? If so, can you try to create
>>>> the user from GUI?
>>>>
>>>> Thank you,
>>>> regards,
>>>> Ivan
>>>>
>>>>
>>>>
>>>> On 11/21/2014 06:24 PM, Jason Everling wrote:
>>>>
>>>> I upgraded to 3.0.1 this morning and it is still the same, it doesn't
>>>> add the iteratorToken, it is almost as if it is using the displayName.
>>>>
>>>>  I can keep using the + name + attribute or with what I tested today
>>>> in the below
>>>>
>>>>  Another I got around it is by creating a mapping to additionalName
>>>> with iterationToken then changing the way the DN is built by just using the
>>>> additionalName like
>>>>
>>>>  'CN=' + additionalName + ',' + organization + ''
>>>>
>>>>      <mapping>
>>>>         <source>
>>>>             <path>$user/givenName</path>
>>>>         </source>
>>>>         <source>
>>>>             <path>$user/familyName</path>
>>>>         </source>
>>>>         <expression>
>>>>             <script>
>>>>                 <code>
>>>>                     givenName + ' ' + familyName + iterationToken
>>>>                 </code>
>>>>             </script>
>>>>         </expression>
>>>>         <target>
>>>>             <path>additionalName</path>
>>>>         </target>
>>>>     </mapping>
>>>>
>>>>  JASON
>>>>
>>>> On Thu, Nov 20, 2014 at 1:52 PM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>>  Hi Jason,
>>>>>
>>>>> it could also help if you can try the same with midPoint 3.0.1...
>>>>>
>>>>> Regards,
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 11/20/2014 06:13 PM, Jason Everling wrote:
>>>>>
>>>>>  Ok thanks, for now until this is fixed just for my testing purposes
>>>>> I changed it from
>>>>>
>>>>>  'cn='+givenName+' '+familyName+iterationToken+','+organization+''
>>>>>
>>>>>  To
>>>>>
>>>>>  'CN='+name+','+organization+''
>>>>>
>>>>>  Which works since it uses the username instead of first/last and
>>>>> doesn't need the iterator, this might be the best way to go for us in the
>>>>> future, we never delete student accounts. just disabled, right now we have
>>>>> over 6000 disabled accounts in AD and in the future using first/last with
>>>>> iterator might get up to flastname54 which I am not sure we would like
>>>>> anyways.
>>>>>
>>>>>  JASON
>>>>>
>>>>> On Wed, Nov 19, 2014 at 1:47 PM, Ivan Noris <ivan.noris at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Jason,
>>>>>>
>>>>>>
>>>>>> > Just on a side note, the username from the db table source gets
>>>>>> > created correctly with the iteration token, it is just not applying
>>>>>> > the iteration token when building the DN for AD.
>>>>>> >
>>>>>>
>>>>>> So I recommend to wait for Pavol's resolution then. He's our primary
>>>>>> AD
>>>>>> connector specialist. From what you've written it _looks_ like AD
>>>>>> connector specific issue. But it's strange as I've used the AD
>>>>>> connector
>>>>>> with iterator for even older midPoint versions - and it has worked.
>>>>>>
>>>>>> I'd have another look at it too, just in case.
>>>>>>
>>>>>> Regards,
>>>>>> Ivan
>>>>>>
>>>>>> --
>>>>>>   Ing. Ivan Noris
>>>>>>   Senior Identity Management Engineer
>>>>>>   evolveum.com
>>>>>>   ___________________________________________
>>>>>>            "Idem per idem - semper idem Vix."
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>  CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>>  _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>>   Ing. Ivan Noris
>>>>>   Senior Identity Management Engineer
>>>>>   evolveum.com
>>>>>   ___________________________________________
>>>>>            "Idem per idem - semper idem Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>   --
>>>>   Ing. Ivan Noris
>>>>   Senior Identity Management Engineer
>>>>   evolveum.com     evolveum.com/blog/
>>>>   _____________________________________________
>>>>   "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141125/33f89652/attachment.htm>


More information about the midPoint mailing list