[midPoint] AD Groups, Getting Security Violation

Pavol Mederly mederly at evolveum.com
Thu Nov 27 23:18:01 CET 2014


Hello Jason,

as far as I know, in Active Directory CN is not updateable. It suffices 
to create/update icfs:name attribute, and CN is updated automatically.

So, I would suggest to drop outbound mapping from CN attribute, i.e. 
this one:

                     <outbound>
                         <source>
                             <path>$focus/name</path>
                         </source>
                     </outbound>

Best regards,
Pavol

On 27. 11. 2014 19:23, Jason Everling wrote:
> I cannot figure this one out, I followed the groups sync in the wiki 
> and from the github samples along with the metarole and role template.
>
> When creating a role in Midpoint it attempts to create the group in AD 
> but I get an error, look at the debug page it has the correct DN and CN.
>
> operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute
>
>   * Security violation during processing shadow shadow: null
>     (OID:null): Attempt to add shadow with non-createable attribute
>     {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn>
>   * Security violation during processing shadow shadow: null
>     (OID:null): Attempt to add shadow with non-createable attribute
>     {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn>
>
>
> Activity 	Status 	Resource object (if applicable)
> Computing projections of the focus object 	
> 	
> Entitlement (group) on Active Directory 	
> 	Add:Fatal error -> cn=TESTER,ou=Groups,dc=test,dc=local
>
>
> I attached the AD Resource, Role Template, and MetaRole
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141127/31652f1d/attachment.htm>


More information about the midPoint mailing list