[midPoint] AD Groups, Getting Security Violation
Pavol Mederly
mederly at evolveum.com
Thu Nov 27 23:50:17 CET 2014
Ah, this is a stupidity in original AD connector that I've inherited.
(And didn't have the courage to fix up to now.)
Sorry for that.
For groups, please use *samAccountName* (not sAMAccountName) as for users.
Best regards,
Pavol
> Spoke too soon, seems it errors when using sAMAccountName under the
> object type,
>
> Definition of attribute sAMAccountName not found in object class
> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}CustomGroupObjectClass
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7DCustomGroupObjectClass>
>
>
> On Thu, Nov 27, 2014 at 4:40 PM, Jason Everling <jeverling at bshp.edu
> <mailto:jeverling at bshp.edu>> wrote:
>
> Hah, nevermind, I just needed create a attribute for
> sAMAccountName under the objecttype using the +name+ outbound,
>
> JASON
>
> On Thu, Nov 27, 2014 at 4:36 PM, Jason Everling
> <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>
> Not sure why I didn't think about that after looking at it so
> many times, working now.
>
> One more question, the roles get created in AD as groups now
> but it does not update the sAMAccountName, so it created the
> cn=tester,ou=groups,dc=test,dc=local and common name is
> testers but the sAMAccountName or the Group Name (Pre Windows
> 2000) is a random value like $K61000-DN631FIPKSLL
>
> How can that be fixed?
>
> Thanks Again!
> JASON
>
> On Thu, Nov 27, 2014 at 4:18 PM, Pavol Mederly
> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>
> Hello Jason,
>
> as far as I know, in Active Directory CN is not
> updateable. It suffices to create/update icfs:name
> attribute, and CN is updated automatically.
>
> So, I would suggest to drop outbound mapping from CN
> attribute, i.e. this one:
>
> <outbound>
> <source>
> <path>$focus/name</path>
> </source>
> </outbound>
>
> Best regards,
> Pavol
>
>
> On 27. 11. 2014 19:23, Jason Everling wrote:
>> I cannot figure this one out, I followed the groups sync
>> in the wiki and from the github samples along with the
>> metarole and role template.
>>
>> When creating a role in Midpoint it attempts to create
>> the group in AD but I get an error, look at the debug
>> page it has the correct DN and CN.
>>
>> operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute
>>
>> * Security violation during processing shadow shadow:
>> null (OID:null): Attempt to add shadow with
>> non-createable attribute
>> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn
>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn>
>> * Security violation during processing shadow shadow:
>> null (OID:null): Attempt to add shadow with
>> non-createable attribute
>> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn
>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn>
>>
>>
>> Activity Status Resource object (if applicable)
>> Computing projections of the focus object
>>
>> Entitlement (group) on Active Directory
>> Add:Fatal error -> cn=TESTER,ou=Groups,dc=test,dc=local
>>
>>
>> I attached the AD Resource, Role Template, and MetaRole
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary
>> and confidential; intended for only the recipient(s)
>> named above and may contain information that is
>> privileged. You should not retain, copy or use this
>> e-mail or any attachments for any purpose, or disclose
>> all or any part of the contents to any person. Any views
>> or opinions expressed in this e-mail are those of the
>> author and do not represent those of the Baptist School
>> of Health Professions. If you have received this e-mail
>> in error, or are not the named recipient(s), you are
>> hereby notified that any review, dissemination,
>> distribution or copying of this communication is
>> prohibited by the sender and to do so might constitute a
>> violation of the Electronic Communications Privacy Act,
>> 18 U.S.C. section 2510-2521. Please immediately notify
>> the sender and delete this e-mail and any attachments
>> from your computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141127/1ae24126/attachment.htm>
More information about the midPoint
mailing list