[midPoint] Target Synchronization/Reconcilation
Ivan Noris
ivan.noris at evolveum.com
Tue Feb 17 16:12:34 CET 2015
The reconciliation task can be created in GUI:
1. go to Server Tasks
2. click New task
3. choose a name for the task
4. select Reconciliation as type
5. select resource to run on
6. select kind (accounts are kind "account")
7. choose intent (the default intent is "default")
8. if you wish to schedule the task, check "Recurring task"
9. choose your Schedule interval (seconds), i.e. 3600 (one hour)
10. save the task
If you wish to run the reconciliation one-time only, you can leave
recurring task off. The reconciliation task will start as scheduled or
can be run manually by selecting the task and clicking "Run now".
The "dry run" checkbox is especially cool for testing the correlation
expressions. The reconciliation will be executed, accounts will be
correlated, but nothing will be changed.
For reconciling other-than-accounts, specify kind and intent as you need.
Regards,
Ivan
On 02/17/2015 02:35 PM, Anand Kothekar wrote:
> Hi Ivan,
>
> After importing an account one task was created so can I use that same
> task for reconciliation or it is recommended to create new task. if so
> can you please provide me guidelines (or point me to appropriate
> document) for creating new reconciliation task.
>
> It is absolutely right that I don't want user to be created in
> midpoint if there is an account in ldap that does not match to any
> user in midpoint.( that's why I removed that "unmatched" situation.)
>
> So basically I want to reconcile/link accounts in midpoint which are
> present in ldap.
>
> I have attached resource with this mail. please find the attachment.
>
>
>
> Thanks,
> Anand
>
> On Tue, Feb 17, 2015 at 6:06 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Anand,
>
> first, reconciliation and import task are similar, but not the
> same. I omitted Importing from my previous mail, sorry. But no
> harm done, the process is very similar, the difference is when
> running the import, you just press the button in GUI. For
> reconciliation, you can create the reconciliation task in Server
> Tasks - New task. Reconciliation can be scheduled, import cannot.
>
> Your error seems to be related to the fact, that there is no
> username (midPoint attribute user/name) generated while
> synchronizing. Looking at your configuration, I'm missing
> "unmatched" situation with possible addFocus reaction. This means
> you will not create users in midPoint based on OpenLDAP accounts
> which may be ok - depends on situations and what you want to achieve.
>
> Could you please send the resource object, not only
> synchronization part?
>
> Regards,
> Ivan
>
>
> On 02/17/2015 11:22 AM, Anand Kothekar wrote:
>> Hi,
>>
>>
>> I want to raise a reconciliation task which will start
>> synchronization. For that I have modified one of my resource
>> (Open Ldap User) with,
>>
>> <synchronization>
>> <objectSynchronization>
>> <enabled>true</enabled>
>> <correlation
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
>> <q:description>synchronization example.</q:description>
>> <q:equal>
>> <q:path>name</q:path>
>> <expression>
>> <c:path
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">declare
>> namespace
>> ri='http://midpoint.evolveum.com/xml/ns/public/resource/instance-3';
>> $account/attributes/ri:uid</c:path>
>> </expression>
>> </q:equal>
>> </correlation>
>> <reaction>
>> <situation>linked</situation>
>> <synchronize>true</synchronize>
>> </reaction>
>> <reaction>
>> <situation>deleted</situation>
>> <synchronize>true</synchronize>
>> <action>
>>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
>> </action>
>> </reaction>
>> <reaction>
>> <situation>unlinked</situation>
>> <synchronize>true</synchronize>
>> <action>
>>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>> </action>
>> </reaction>
>> </objectSynchronization>
>> </synchronization>
>>
>>
>> then I selected resource--> open Ldap User -->" import accounts"
>> which raised a task but failed.
>>
>> Failed to import:
>> com.evolveum.midpoint.util.exception.SchemaException: No name in
>> new object null as produced by template null in iteration 0, we
>> cannot process an object without a name: Failed to import:
>> com.evolveum.midpoint.util.exception.SchemaException: No name in
>> new object null as produced by template null in iteration 0, we
>> cannot process an object without a name
>>
>>
>> can you please tell me that where I mistaken or am I following
>> wrong approach.
>>
>> Thanks,
>> Anand
>>
>> On Tue, Feb 17, 2015 at 2:42 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Anand,
>>
>> correlation/confirmation expression tell midPoint, how to
>> check if the account in the resource has an owner in midPoint.
>>
>> Based on result, synchronization situation is determined
>> (UNMATCHED, UNLINKED, LINKED etc.) and corresponding action
>> (link, delete, ...) can be executed.
>>
>> These settings are per resource e.g. LDAP resource) and per
>> object type. In minimum configuration, for default account
>> (kind=account, intent=default). Different configuration can
>> be specified for different account types or other objects
>> (e.g. groups).
>>
>> The configuration WHEN the synchronization should be
>> performed differs. It can be:
>> - opportunistic sync: no tasks; midPoint can detect
>> inconsistencies while provisioning (i.e. trying to create an
>> account in LDAP, but the account is already there)
>> - livesync: livesync task running; midPoint can detect
>> inconsistencies in real time (if the resource supports it;
>> i.e. OpenDJ or Oracle DSEE have changelog plugin which can be
>> used). Livesync task detects CHANGES in the resource accounts.
>> - reconciliation: reconciliation task running; midPoint can
>> detect inconsistencies in scheduled times. Reconciliation
>> task processes ALL resource objects, not only changes.
>>
>> All or our resource samples with "-sync" in the filename
>> should be configured for livesync synchronization and they
>> should also include the task.
>>
>> Regards,
>> I.
>>
>>
>> On 02/17/2015 07:50 AM, Anand Kothekar wrote:
>>> Hi,
>>>
>>> I was working on Synchronization where I have a requirement
>>> to keep data in resource and midpoint repository synchronized.
>>>
>>> like If any account exists on ldap then it should be linked
>>> with the user matching with the uid of user in midpoint.
>>>
>>> I have gone through the concept of correlation and
>>> confirmation expression but I am not clear with the proper
>>> approach to follow.
>>>
>>> please le me know how to achieve this and also mention any
>>> sample example for it.
>>>
>>>
>>>
>>> Thanks,
>>> Anand
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer & IDM Architect
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> ___________________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> ___________________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150217/f16f25df/attachment.htm>
More information about the midPoint
mailing list