[midPoint] Target Synchronization/Reconcilation
Ivan Noris
ivan.noris at evolveum.com
Tue Feb 17 16:08:12 CET 2015
OK!
If there are any other questions just ask and we try to help as soon as
we can.
Regards,
Ivan
On 02/17/2015 03:51 PM, Anand Kothekar wrote:
> Hi Ivan,
>
> The Account reconciliation worked for me. I actually forgot to give
> similar object class to user in ldap thats why it was not populating
> account in midpoint.
>
> Thanks for the assistance.
>
> Regards,
> Anand
>
> On Tue, Feb 17, 2015 at 7:05 PM, Anand Kothekar
> <anand.kothekar at confluxsys.com <mailto:anand.kothekar at confluxsys.com>>
> wrote:
>
> Hi Ivan,
>
> After importing an account one task was created so can I use that
> same task for reconciliation or it is recommended to create new
> task. if so can you please provide me guidelines (or point me to
> appropriate document) for creating new reconciliation task.
>
> It is absolutely right that I don't want user to be created in
> midpoint if there is an account in ldap that does not match to any
> user in midpoint.( that's why I removed that "unmatched" situation.)
>
> So basically I want to reconcile/link accounts in midpoint which
> are present in ldap.
>
> I have attached resource with this mail. please find the attachment.
>
>
>
> Thanks,
> Anand
>
> On Tue, Feb 17, 2015 at 6:06 PM, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Anand,
>
> first, reconciliation and import task are similar, but not the
> same. I omitted Importing from my previous mail, sorry. But no
> harm done, the process is very similar, the difference is when
> running the import, you just press the button in GUI. For
> reconciliation, you can create the reconciliation task in
> Server Tasks - New task. Reconciliation can be scheduled,
> import cannot.
>
> Your error seems to be related to the fact, that there is no
> username (midPoint attribute user/name) generated while
> synchronizing. Looking at your configuration, I'm missing
> "unmatched" situation with possible addFocus reaction. This
> means you will not create users in midPoint based on OpenLDAP
> accounts which may be ok - depends on situations and what you
> want to achieve.
>
> Could you please send the resource object, not only
> synchronization part?
>
> Regards,
> Ivan
>
>
> On 02/17/2015 11:22 AM, Anand Kothekar wrote:
>> Hi,
>>
>>
>> I want to raise a reconciliation task which will start
>> synchronization. For that I have modified one of my resource
>> (Open Ldap User) with,
>>
>> <synchronization>
>> <objectSynchronization>
>> <enabled>true</enabled>
>> <correlation
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
>> <q:description>synchronization
>> example.</q:description>
>> <q:equal>
>> <q:path>name</q:path>
>> <expression>
>> <c:path
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">declare
>> namespace
>> ri='http://midpoint.evolveum.com/xml/ns/public/resource/instance-3';
>> $account/attributes/ri:uid</c:path>
>> </expression>
>> </q:equal>
>> </correlation>
>> <reaction>
>> <situation>linked</situation>
>> <synchronize>true</synchronize>
>> </reaction>
>> <reaction>
>> <situation>deleted</situation>
>> <synchronize>true</synchronize>
>> <action>
>>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
>> </action>
>> </reaction>
>> <reaction>
>> <situation>unlinked</situation>
>> <synchronize>true</synchronize>
>> <action>
>>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>> </action>
>> </reaction>
>> </objectSynchronization>
>> </synchronization>
>>
>>
>> then I selected resource--> open Ldap User -->" import
>> accounts" which raised a task but failed.
>>
>> Failed to import:
>> com.evolveum.midpoint.util.exception.SchemaException: No name
>> in new object null as produced by template null in iteration
>> 0, we cannot process an object without a name: Failed to
>> import: com.evolveum.midpoint.util.exception.SchemaException:
>> No name in new object null as produced by template null in
>> iteration 0, we cannot process an object without a name
>>
>>
>> can you please tell me that where I mistaken or am I
>> following wrong approach.
>>
>> Thanks,
>> Anand
>>
>> On Tue, Feb 17, 2015 at 2:42 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Anand,
>>
>> correlation/confirmation expression tell midPoint, how to
>> check if the account in the resource has an owner in
>> midPoint.
>>
>> Based on result, synchronization situation is determined
>> (UNMATCHED, UNLINKED, LINKED etc.) and corresponding
>> action (link, delete, ...) can be executed.
>>
>> These settings are per resource e.g. LDAP resource) and
>> per object type. In minimum configuration, for default
>> account (kind=account, intent=default). Different
>> configuration can be specified for different account
>> types or other objects (e.g. groups).
>>
>> The configuration WHEN the synchronization should be
>> performed differs. It can be:
>> - opportunistic sync: no tasks; midPoint can detect
>> inconsistencies while provisioning (i.e. trying to create
>> an account in LDAP, but the account is already there)
>> - livesync: livesync task running; midPoint can detect
>> inconsistencies in real time (if the resource supports
>> it; i.e. OpenDJ or Oracle DSEE have changelog plugin
>> which can be used). Livesync task detects CHANGES in the
>> resource accounts.
>> - reconciliation: reconciliation task running; midPoint
>> can detect inconsistencies in scheduled times.
>> Reconciliation task processes ALL resource objects, not
>> only changes.
>>
>> All or our resource samples with "-sync" in the filename
>> should be configured for livesync synchronization and
>> they should also include the task.
>>
>> Regards,
>> I.
>>
>>
>> On 02/17/2015 07:50 AM, Anand Kothekar wrote:
>>> Hi,
>>>
>>> I was working on Synchronization where I have a
>>> requirement to keep data in resource and midpoint
>>> repository synchronized.
>>>
>>> like If any account exists on ldap then it should be
>>> linked with the user matching with the uid of user in
>>> midpoint.
>>>
>>> I have gone through the concept of correlation and
>>> confirmation expression but I am not clear with the
>>> proper approach to follow.
>>>
>>> please le me know how to achieve this and also mention
>>> any sample example for it.
>>>
>>>
>>>
>>> Thanks,
>>> Anand
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer & IDM Architect
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> ___________________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> ___________________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150217/ec392de7/attachment.htm>
More information about the midPoint
mailing list