[midPoint] AD Groups, Getting Security Violation
Pavol Mederly
mederly at evolveum.com
Thu Nov 27 23:18:01 CET 2014
Hello Jason,
as far as I know, in Active Directory CN is not updateable. It suffices
to create/update icfs:name attribute, and CN is updated automatically.
So, I would suggest to drop outbound mapping from CN attribute, i.e.
this one:
<outbound>
<source>
<path>$focus/name</path>
</source>
</outbound>
Best regards,
Pavol
On 27. 11. 2014 19:23, Jason Everling wrote:
> I cannot figure this one out, I followed the groups sync in the wiki
> and from the github samples along with the metarole and role template.
>
> When creating a role in Midpoint it attempts to create the group in AD
> but I get an error, look at the debug page it has the correct DN and CN.
>
> operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute
>
> * Security violation during processing shadow shadow: null
> (OID:null): Attempt to add shadow with non-createable attribute
> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn>
> * Security violation during processing shadow shadow: null
> (OID:null): Attempt to add shadow with non-createable attribute
> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn>
>
>
> Activity Status Resource object (if applicable)
> Computing projections of the focus object
>
> Entitlement (group) on Active Directory
> Add:Fatal error -> cn=TESTER,ou=Groups,dc=test,dc=local
>
>
> I attached the AD Resource, Role Template, and MetaRole
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141127/31652f1d/attachment.htm>
More information about the midPoint
mailing list