[midPoint] Target Synchronization/Reconcilation
Anand Kothekar
anand.kothekar at confluxsys.com
Tue Feb 17 14:35:06 CET 2015
Hi Ivan,
After importing an account one task was created so can I use that same task
for reconciliation or it is recommended to create new task. if so can you
please provide me guidelines (or point me to appropriate document) for
creating new reconciliation task.
It is absolutely right that I don't want user to be created in midpoint if
there is an account in ldap that does not match to any user in midpoint.(
that's why I removed that "unmatched" situation.)
So basically I want to reconcile/link accounts in midpoint which are
present in ldap.
I have attached resource with this mail. please find the attachment.
Thanks,
Anand
On Tue, Feb 17, 2015 at 6:06 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:
> Hi Anand,
>
> first, reconciliation and import task are similar, but not the same. I
> omitted Importing from my previous mail, sorry. But no harm done, the
> process is very similar, the difference is when running the import, you
> just press the button in GUI. For reconciliation, you can create the
> reconciliation task in Server Tasks - New task. Reconciliation can be
> scheduled, import cannot.
>
> Your error seems to be related to the fact, that there is no username
> (midPoint attribute user/name) generated while synchronizing. Looking at
> your configuration, I'm missing "unmatched" situation with possible
> addFocus reaction. This means you will not create users in midPoint based
> on OpenLDAP accounts which may be ok - depends on situations and what you
> want to achieve.
>
> Could you please send the resource object, not only synchronization part?
>
> Regards,
> Ivan
>
>
> On 02/17/2015 11:22 AM, Anand Kothekar wrote:
>
> Hi,
>
>
> I want to raise a reconciliation task which will start synchronization.
> For that I have modified one of my resource (Open Ldap User) with,
>
> <synchronization>
> <objectSynchronization>
> <enabled>true</enabled>
> <correlation xmlns:q="
> http://prism.evolveum.com/xml/ns/public/query-3">
> <q:description>synchronization example.</q:description>
> <q:equal>
> <q:path>name</q:path>
> <expression>
> <c:path xmlns:c="
> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:ri="
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">declare
> namespace ri='
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3';
> $account/attributes/ri:uid</c:path>
> </expression>
> </q:equal>
> </correlation>
> <reaction>
> <situation>linked</situation>
> <synchronize>true</synchronize>
> </reaction>
> <reaction>
> <situation>deleted</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink
> </handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
> </handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
> </synchronization>
>
>
> then I selected resource--> open Ldap User -->" import accounts" which
> raised a task but failed.
>
> Failed to import: com.evolveum.midpoint.util.exception.SchemaException:
> No name in new object null as produced by template null in iteration 0, we
> cannot process an object without a name: Failed to import:
> com.evolveum.midpoint.util.exception.SchemaException: No name in new object
> null as produced by template null in iteration 0, we cannot process an
> object without a name
>
>
> can you please tell me that where I mistaken or am I following wrong
> approach.
>
> Thanks,
> Anand
>
> On Tue, Feb 17, 2015 at 2:42 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>> Hi Anand,
>>
>> correlation/confirmation expression tell midPoint, how to check if the
>> account in the resource has an owner in midPoint.
>>
>> Based on result, synchronization situation is determined (UNMATCHED,
>> UNLINKED, LINKED etc.) and corresponding action (link, delete, ...) can be
>> executed.
>>
>> These settings are per resource e.g. LDAP resource) and per object type.
>> In minimum configuration, for default account (kind=account,
>> intent=default). Different configuration can be specified for different
>> account types or other objects (e.g. groups).
>>
>> The configuration WHEN the synchronization should be performed differs.
>> It can be:
>> - opportunistic sync: no tasks; midPoint can detect inconsistencies while
>> provisioning (i.e. trying to create an account in LDAP, but the account is
>> already there)
>> - livesync: livesync task running; midPoint can detect inconsistencies in
>> real time (if the resource supports it; i.e. OpenDJ or Oracle DSEE have
>> changelog plugin which can be used). Livesync task detects CHANGES in the
>> resource accounts.
>> - reconciliation: reconciliation task running; midPoint can detect
>> inconsistencies in scheduled times. Reconciliation task processes ALL
>> resource objects, not only changes.
>>
>> All or our resource samples with "-sync" in the filename should be
>> configured for livesync synchronization and they should also include the
>> task.
>>
>> Regards,
>> I.
>>
>>
>> On 02/17/2015 07:50 AM, Anand Kothekar wrote:
>>
>> Hi,
>>
>> I was working on Synchronization where I have a requirement to keep
>> data in resource and midpoint repository synchronized.
>>
>> like If any account exists on ldap then it should be linked with the
>> user matching with the uid of user in midpoint.
>>
>> I have gone through the concept of correlation and confirmation
>> expression but I am not clear with the proper approach to follow.
>>
>> please le me know how to achieve this and also mention any sample
>> example for it.
>>
>>
>>
>> Thanks,
>> Anand
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer & IDM Architect
>> evolveum.com evolveum.com/blog/
>> ___________________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150217/763b9689/attachment.htm>
-------------- next part --------------
<resource xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="d0811790-1d80-11e4-86b2-3c970e467874"
version="65">
<name>OpenLdap User</name>
<description>LDAP resource using a ConnId LDAP connector. It contains configuration
for use with OpenLDAP servers.</description>
<metadata>
<createTimestamp>2015-01-23T11:37:42.129+05:30</createTimestamp>
<creatorRef oid="00000000-0000-0000-0000-000000000002" type="UserType"><!-- administrator --></creatorRef>
<createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
</metadata>
<operationalState>
<lastAvailabilityStatus>up</lastAvailabilityStatus>
</operationalState>
<connectorRef oid="40a94422-adae-4c6e-915b-375bf6643d6a" type="ConnectorType"><!-- ICF org.identityconnectors.ldap.LdapConnector v1.4.0.1-SNAPSHOT -->
<description>
Reference to the OpenICF LDAP connector. This is dynamic reference, it will be translated to
OID during import.
</description>
<filter xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
<q:equal>
<q:path>connectorType</q:path>
<q:value>org.identityconnectors.ldap.LdapConnector</q:value>
</q:equal>
</filter>
</connectorRef>
<connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
<icfc:resultsHandlerConfiguration>
<icfc:enableCaseInsensitiveFilter>true</icfc:enableCaseInsensitiveFilter>
</icfc:resultsHandlerConfiguration>
<icfc:configurationProperties xmlns:gen755="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/org.identityconnectors.ldap.LdapConnector">
<gen755:modifiersNamesToFilterOut>cn=manager,dc=confluxsys,dc=com</gen755:modifiersNamesToFilterOut>
<gen755:credentials xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
<t:encryptedData>
<t:encryptionMethod>
<t:algorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</t:algorithm>
</t:encryptionMethod>
<t:keyInfo>
<t:keyName>cz9MXwgN8ytyDnox8U5L91QU9ew=</t:keyName>
</t:keyInfo>
<t:cipherData>
<t:cipherValue>wKpZfdsk+gV3XCbiVbDP5h3oGjg4ZXfkgFMUGCdw4tdXeF0=</t:cipherValue>
</t:cipherData>
</t:encryptedData>
</gen755:credentials>
<gen755:port>389</gen755:port>
<gen755:vlvSortAttribute>uid</gen755:vlvSortAttribute>
<gen755:useBlocks>true</gen755:useBlocks>
<gen755:principal>cn=admin,dc=confluxsys,dc=com</gen755:principal>
<gen755:baseContexts>dc=confluxsys,dc=com</gen755:baseContexts>
<gen755:accountObjectClasses>top</gen755:accountObjectClasses>
<gen755:accountObjectClasses>person</gen755:accountObjectClasses>
<gen755:accountObjectClasses>organizationalPerson</gen755:accountObjectClasses>
<gen755:accountObjectClasses>inetOrgPerson</gen755:accountObjectClasses>
<gen755:accountObjectClasses>posixAccount</gen755:accountObjectClasses>
<gen755:accountObjectClasses>hostObject</gen755:accountObjectClasses>
<gen755:host>localhost</gen755:host>
<gen755:groupMemberAttribute>memberUid</gen755:groupMemberAttribute>
<gen755:passwordHashAlgorithm>SSHA</gen755:passwordHashAlgorithm>
<gen755:usePagedResultControl>true</gen755:usePagedResultControl>
</icfc:configurationProperties>
</connectorConfiguration>
<schema>
<cachingMetadata>
<retrievalTimestamp>2015-01-22T06:13:19.662-05:00</retrievalTimestamp>
<serialNumber>7d3693704019ef24-c95036210e59bd1c</serialNumber>
</cachingMetadata>
<definition>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:ra="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"
xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
elementFormDefault="qualified"
targetNamespace="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"/>
<xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
<xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"/>
<xsd:complexType name="CustomposixGroupObjectClass">
<xsd:annotation>
<xsd:appinfo>
<ra:resourceObject/>
<ra:identifier>icfs:uid</ra:identifier>
<ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
<ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
<ra:namingAttribute>icfs:name</ra:namingAttribute>
<ra:nativeObjectClass>posixGroup</ra:nativeObjectClass>
</xsd:appinfo>
</xsd:annotation>
<xsd:sequence>
<xsd:element minOccurs="0" ref="icfs:uid">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF UID</a:displayName>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="description"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="memberUid"
type="xsd:string"/>
<xsd:element ref="icfs:name">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF NAME</a:displayName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element name="gidNumber" type="xsd:string"/>
<xsd:element maxOccurs="unbounded" name="cn" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="objectClass"
type="xsd:string">
<xsd:annotation>
<xsd:appinfo>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="AccountObjectClass">
<xsd:annotation>
<xsd:appinfo>
<ra:resourceObject/>
<ra:identifier>icfs:uid</ra:identifier>
<ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
<ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
<ra:namingAttribute>icfs:name</ra:namingAttribute>
<ra:nativeObjectClass>__ACCOUNT__</ra:nativeObjectClass>
<ra:kind>account</ra:kind>
<ra:default>true</ra:default>
</xsd:appinfo>
</xsd:annotation>
<xsd:sequence>
<xsd:element minOccurs="0" ref="icfs:uid">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF UID</a:displayName>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="posixGroups"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="audio"
type="xsd:base64Binary"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="seeAlso"
type="xsd:string"/>
<xsd:element minOccurs="0" name="employeeNumber" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="roomNumber"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="mail"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="host"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="registeredAddress"
type="xsd:string"/>
<xsd:element name="gidNumber" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="secretary"
type="xsd:string"/>
<xsd:element minOccurs="0" name="preferredLanguage" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="postalAddress"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="jpegPhoto"
type="xsd:base64Binary"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="objectClass"
type="xsd:string">
<xsd:annotation>
<xsd:appinfo>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="userCertificate"
type="xsd:base64Binary"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="description"
type="xsd:string"/>
<xsd:element minOccurs="0" name="loginShell" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="teletexTerminalIdentifier"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="pager"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="carLicense"
type="xsd:string"/>
<xsd:element minOccurs="0" name="displayName" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="labeledURI"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded" name="uid" type="xsd:string"/>
<xsd:element ref="icfs:name">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF NAME</a:displayName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="gecos" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="homePostalAddress"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="photo"
type="xsd:base64Binary"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="facsimileTelephoneNumber"
type="xsd:string"/>
<xsd:element minOccurs="0" name="preferredDeliveryMethod" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="homePhone"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="x121Address"
type="xsd:string"/>
<xsd:element name="uidNumber" type="xsd:string"/>
<xsd:element maxOccurs="unbounded" minOccurs="0" name="l" type="xsd:string"/>
<xsd:element maxOccurs="unbounded" minOccurs="0" name="o" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="businessCategory"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="street"
type="xsd:string"/>
<xsd:element name="homeDirectory" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="postOfficeBox"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="postalCode"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded" minOccurs="0" name="st" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="manager"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="departmentNumber"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="internationaliSDNNumber"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="employeeType"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="initials"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded" name="sn" type="xsd:string"/>
<xsd:element maxOccurs="unbounded" minOccurs="0" name="ou" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="physicalDeliveryOfficeName"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="telexNumber"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="userSMIMECertificate"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="mobile"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="userPKCS12"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="givenName"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="x500uniqueIdentifier"
type="xsd:base64Binary"/>
<xsd:element maxOccurs="unbounded" name="cn" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="destinationIndicator"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="telephoneNumber"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="title"
type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CustomolcHdbConfigObjectClass">
<xsd:annotation>
<xsd:appinfo>
<ra:resourceObject/>
<ra:identifier>icfs:uid</ra:identifier>
<ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
<ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
<ra:namingAttribute>icfs:name</ra:namingAttribute>
<ra:nativeObjectClass>olcHdbConfig</ra:nativeObjectClass>
</xsd:appinfo>
</xsd:annotation>
<xsd:sequence>
<xsd:element minOccurs="0" ref="icfs:uid">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF UID</a:displayName>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" name="olcDbCheckpoint" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcMirrorMode" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcUpdateRef"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcSyncUseSubentry" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcTimeLimit"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcSizeLimit" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcExtraAttrs"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbCryptFile" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbIDLcacheSize" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbDirtyRead" type="xsd:string"/>
<xsd:element name="olcDatabase" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbDNcacheSize" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcSubordinate" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcReplicationInterval" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbMode" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="objectClass"
type="xsd:string">
<xsd:annotation>
<xsd:appinfo>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcDbConfig"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcLastMod" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbLinearIndex" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcMaxDerefDepth" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcRootPW" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcSuffix"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcRootDN" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbSearchStack" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcRequires"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcReplicaArgsFile" type="xsd:string"/>
<xsd:element ref="icfs:name">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF NAME</a:displayName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcDbIndex"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbShmKey" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcSchemaDN" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcAccess"
type="xsd:string"/>
<xsd:element name="olcDbDirectory" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcMonitoring" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcDbPageSize"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcReplicaPidFile" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcReplogFile" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcReadOnly" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbLockDetect" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcLimits"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcUpdateDN" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcRestrict"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcReplica"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcSyncrepl"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcSecurity"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbCacheSize" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbCryptKey" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbCacheFree" type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="olcPlugin"
type="xsd:string"/>
<xsd:element minOccurs="0" name="olcAddContentAcl" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcHidden" type="xsd:string"/>
<xsd:element minOccurs="0" name="olcDbNoSync" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="CustomcountryObjectClass">
<xsd:annotation>
<xsd:appinfo>
<ra:resourceObject/>
<ra:identifier>icfs:uid</ra:identifier>
<ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
<ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
<ra:namingAttribute>icfs:name</ra:namingAttribute>
<ra:nativeObjectClass>country</ra:nativeObjectClass>
</xsd:appinfo>
</xsd:annotation>
<xsd:sequence>
<xsd:element minOccurs="0" ref="icfs:uid">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF UID</a:displayName>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="description"
type="xsd:string"/>
<xsd:element name="c" type="xsd:string"/>
<xsd:element ref="icfs:name">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ICF NAME</a:displayName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="searchGuide"
type="xsd:string"/>
<xsd:element maxOccurs="unbounded"
minOccurs="0"
name="objectClass"
type="xsd:string">
<xsd:annotation>
<xsd:appinfo>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>
</definition>
</schema>
<schemaHandling>
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<objectClass xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:AccountObjectClass</objectClass>
<attribute>
<ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</ref>
<displayName>Distinguished Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/name</c:path>
</source>
<expression>
<script>
<code>
'uid=' + name + iterationToken + ',ou=people,dc=confluxsys,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:uid</ref>
<displayName>Entry UUID</displayName>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</ref>
<displayName>Common Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/fullName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/fullName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:sn</ref>
<displayName>Surname</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">familyName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">familyName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:givenName</ref>
<displayName>Given Name</displayName>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</ref>
<outbound>
<strength>weak</strength>
<expression>
<description>Expression that assigns a fixed value</description>
<value>Created by midPoint</value>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:l</ref>
<displayName>Location</displayName>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/locality</c:path>
</source>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:employeeType</ref>
<displayName>Employee Type</displayName>
<tolerant>false</tolerant>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/employeeType</c:path>
</source>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:uid</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">name</c:path>
</source>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:gidNumber</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<expression>
<script>
<code>return '8682'</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:uidNumber</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<expression>
<script>
<code>return '1234'</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:homeDirectory</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<expression>
<script>
<code>return '/home/usr'</code>
</script>
</expression>
</outbound>
</attribute>
<association>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:memberUid</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
</association>
<protected xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">
<icfs:name>cn=manager,dc=confluxsys,dc=com</icfs:name>
</protected>
<activation>
<administrativeStatus>
<outbound/>
<inbound>
<strength>weak</strength>
<expression>
<asIs/>
</expression>
</inbound>
</administrativeStatus>
</activation>
<credentials>
<password>
<outbound>
<expression>
<asIs/>
</expression>
</outbound>
<inbound>
<strength>weak</strength>
<expression>
<generate/>
</expression>
</inbound>
</password>
</credentials>
</objectType>
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:CustomposixGroupObjectClass</objectClass>
<attribute>
<ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$focus/name</c:path>
</source>
<expression>
<script>
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
dn = new LdapName('ou=groups,dc=confluxsys,dc=com')
dn.add(new Rdn('cn', name.toString()))
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:memberUid</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:gidNumber</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$focus/name</c:path>
</source>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</ref>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">description</c:path>
</source>
</outbound>
</attribute>
</objectType>
</schemaHandling>
<capabilities>
<cachingMetadata>
<retrievalTimestamp>2015-01-22T06:13:19.721-05:00</retrievalTimestamp>
<serialNumber>8bafd94bc85de28e-cb256f805646cc69</serialNumber>
</cachingMetadata>
<native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
<cap:addRemoveAttributeValues/>
<cap:credentials>
<cap:password>
<cap:returnedByDefault>false</cap:returnedByDefault>
</cap:password>
</cap:credentials>
<cap:liveSync/>
<cap:testConnection/>
<cap:create/>
<cap:read/>
<cap:update/>
<cap:delete/>
<cap:script>
<cap:host>
<cap:type>connector</cap:type>
</cap:host>
</cap:script>
</native>
</capabilities>
<synchronization>
<objectSynchronization>
<enabled>true</enabled>
<correlation xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
<q:description>
Correlation expression is a search query.
Following search queury will look for users that have "name"
equal to the "uid" attribute of the account. Simply speaking,
it will look for match in usernames in the IDM and the resource.
The correlation rule always looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:path>name</q:path>
<expression>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">declare namespace ri='http://midpoint.evolveum.com/xml/ns/public/resource/instance-3'; $account/attributes/ri:uid</c:path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
</resource>
More information about the midPoint
mailing list