[midPoint] Fwd: Re: ***UNCHECKED*** Re: Account Creation, Not Being created in AD
Pavol Mederly
mederly at evolveum.com
Fri Feb 20 16:53:59 CET 2015
Hello Jason,
the problem seems to be in your system configuration:
Although in the exported data, there is a correct setting of:
(version = 2)
<globalAccountSynchronizationSettings>
<assignmentPolicyEnforcement>*positive*</assignmentPolicyEnforcement>
</globalAccountSynchronizationSettings>
in reality as seen from the log, midPoint uses the following:
(version = 12)
globalAccountSynchronizationSettings:
com.evolveum.midpoint.xml.ns._public.common.common_3.ProjectionPolicyType at 25d25ec7[assignmentPolicyEnforcement=*NONE*,legalize=<null>]
... and so is seen in the log later:
2015-02-20 08:54:41,698 [] [midPointScheduler_Worker-8] TRACE
(com.evolveum.midpoint.model.impl.lens.projector.AssignmentProcessor):
Finishing legal decision for (account (default) on
resource:10000000-2000-3000-4000-10000000ad01(Active Directory: Office
365, Google Apps, Moodle)), thombstone false, enforcement mode *NONE*,
legalize false: false -> *false****
****
***The "none" mode is a special mode, in which midPoint simply ignores
all assignments. And as we can see here, it sets legal:=false for this
account, and therefore not tries to create it.
So I'd suggest setting assignment policy enforcement to either
"positive" or "relative" and trying again. :-)
Best regards,
Pavol
On 20. 2. 2015 16:06, Jason Everling wrote:
> Ok I must have missed that one, I removed the condition and source with
>
> <mapping>
> <expression>
> <value>
> <targetRef oid="30000000-aaaa-bbbb-0000-12345678sr01" type="c:RoleType"/>
> </value>
> </expression>
> <target>
> <path>assignment</path>
> </target>
> </mapping>
>
> I was hoping that it would work but It still does not add the account
> to AD though :( , still a lot of nulls in the logs, I attached the new
> logs again for a new user
>
> Isabel Trevino, istrevino
>
> On Fri, Feb 20, 2015 at 1:25 AM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
> Hello Jason,
>
> after studying the logs I suspect that the problem is being caused
> by chaining of mappings in the object template "User Template 3".
> The related issue is https://jira.evolveum.com/browse/MID-2149. (I
> know that you've eliminated the majority of chainings -> but this
> one seems to be left there).
>
> See the red-colored parts below.
>
> <objectTemplate
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> oid="10000000-0000-0000-0000-000000000203"
> version="0">
> <name>User Template 3</name>
> ...
> <mapping>
> <source>
> <c:path
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>
> xmlns:bshp="http://www.bshp.edu/xml/ns/public/bshp"
> <http://www.bshp.edu/xml/ns/public/bshp>>declare namespace
> bshp='http://www.bshp.edu/xml/ns/public/bshp';
> $c:user/c:extension/bshp:eduPersonAffiliation</c:path>
> </source>
> <expression>
> <script>
> <code>'student'</code>
> </script>
> </expression>
> <*target*>
> <c:path
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>
> xmlns:bshp="http://www.bshp.edu/xml/ns/public/bshp"
> <http://www.bshp.edu/xml/ns/public/bshp>>declare namespace
> bshp='http://www.bshp.edu/xml/ns/public/bshp';
> *$c:user/c:extension/bshp:eduPersonAffiliation*</c:path>
> </target>
> </mapping>
>
> * ----->**
> *
> <mapping>
> <*source*>
> <c:path
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>
> xmlns:bshp="http://www.bshp.edu/xml/ns/public/bshp"
> <http://www.bshp.edu/xml/ns/public/bshp>>declare namespace
> bshp='http://www.bshp.edu/xml/ns/public/bshp';
> *$c:user/c:extension/bshp:eduPersonAffiliation*</c:path>
> </source>
> <expression>
> <assignmentTargetSearch>
> <targetType
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>c:RoleType</targetType>
> <oid>30000000-aaaa-bbbb-0000-12345678sr01</oid>
> </assignmentTargetSearch>
> </expression>
> <target>
> <c:path
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>assignment</c:path>
> </target>
> </mapping>
> </objectTemplate>
>
> In the log you can see that this result of an empty assignment of
> the role that should give access to the AD:
>
> 2015-02-19 11:06:47,040 [] [midPointScheduler_Worker-10] TRACE
> (com.evolveum.midpoint.model.common.mapping.Mapping): Mapping trace:
> ---[ MAPPING in
> objectTemplate:10000000-0000-0000-0000-000000000203(User Template
> 3)]---------------------------
> Source:
> {http://www.bshp.edu/xml/ns/public/bshp}eduPersonAffiliation:
> *old=null, delta=null, new=null*
> Target: PCD:{.../common/common-3}assignment
> {.../common/common-3}AssignmentType[0,-1],RAM
> Expression: assignmentExpression
> Condition: true -> true
> Result: *[here should be an assignment but there's nothing there
> because the input is 'null' (not the 'student' as one could
> expect) - this is because of chaining]*
>
> Actually, in a later iteration (in the secondary phase of the
> clockwork processing), the assignment is computed - but it is
> actually too late (just before exiting the processing) - so it is
> not executed. I mean this one:
>
> ---[ MAPPING in
> objectTemplate:10000000-0000-0000-0000-000000000203(User Template
> 3)]---------------------------
> Source:
> {http://www.bshp.edu/xml/ns/public/bshp}eduPersonAffiliation:
> *old=null, delta=PropertyDelta(extension /
> {http://www.bshp.edu/xml/ns/public/bshp}eduPersonAffiliation,
> ADD),
> new=PP({http://www.bshp.edu/xml/ns/public/bshp}eduPersonAffiliation):[PPV(String:student)]*
> Target: PCD:{.../common/common-3}assignment
> {.../common/common-3}AssignmentType[0,-1],RAM
> Expression: assignmentExpression
> Condition: true -> true
> Result: *added: id=null: 1 items *
>
> So, my recommendation is to remove the chaining.
>
> Hope this helps. :-)
> Pavol
>
> On 19. 2. 2015 15:33, Jason Everling wrote:
>> Here is the details,
>>
>> 1 CSV Resource
>> 1 AD Resource
>> 1 Role with inducement for AD Account
>> 1 Object Template for CSV which generates the Username and
>> assigns the role with the AD Incudement.
>>
>> I will send the exports via private email
>>
>> JASON
>>
>> On Thu, Feb 19, 2015 at 6:01 AM, Pavol Mederly
>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>
>> Hello Jason,
>>
>> I would like to test this one, but I'm not sure about
>> concrete configuration in which this occurs.
>>
>> Could you, please, describe the situation in more details,
>> including your specific configurations (simplified if
>> necessary), to allow us to reproduce this bug?
>>
>> Thank you,
>> Pavol
>>
>> On 17. 2. 2015 16:58, Jason Everling wrote:
>>> Reviving an old bug, this is happening again, using 3.1
>>> Release, all my other issues are gone.
>>>
>>> I can manually click the user in midPoint and run reconcile
>>> and it works or if I take the inducement out of the Role and
>>> put it as a direct assignment in the object template the
>>> account gets created properly in AD. Again, this only
>>> happens when generating the username
>>>
>>> Is there a way to maybe run a reconcile after all the
>>> processes complete, lets say after the user is created and
>>> the object templates are processed? If so then this would
>>> more than likely work, I just think it is processing the
>>> inducement before the user account in midpoint is full
>>> created will all attributes.
>>>
>>> JASON
>>>
>>> On Fri, Dec 5, 2014 at 9:13 AM, Jason Everling
>>> <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>>
>>> Ok thanks for the update!
>>>
>>> JASON
>>>
>>> On Fri, Dec 5, 2014 at 2:10 AM, Ivan Noris
>>> <ivan.noris at evolveum.com
>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>> Jason,
>>>
>>> I've just tried the original iterator (User in
>>> midPoint) problem and it seems to be fixed in
>>> git-v3.0.1devel-703-g8c40b63.
>>>
>>> I've tested with LiveSync CSV sample from you, used
>>> user template either referenced from the unmatched
>>> action or global template. Username is generated in
>>> midPoint:
>>>
>>> (username - fullname)
>>> cypecienka - Cyrus Pecienka
>>> cypecienka2 - Cyrusov Pecienka
>>> cypecienka3 - Cyril Pecienka
>>> cypecienka4 - Cyrhoza Pecienka
>>>
>>> Please retest it once after you upgrade to 3.1 or
>>> the master snapshot. Thank you.
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 11/07/2014 04:23 PM, Jason Everling wrote:
>>>> Thanks, it is working, like you said, will be
>>>> easier to manage in the long run! Keep me posted on
>>>> the bug fix,
>>>>
>>>> For now, I am just cleaning up objects and playing
>>>> with other functions,
>>>>
>>>> JASON
>>>>
>>>> On Fri, Nov 7, 2014 at 2:56 AM, Ivan Noris
>>>> <Ivan.Noris at evolveum.com
>>>> <mailto:Ivan.Noris at evolveum.com>> wrote:
>>>>
>>>> Hi Jason,
>>>>
>>>> yes you can use switch in one mapping instead
>>>> of having many mappings - I'm using it very
>>>> often. It will be more simple to maintain.
>>>>
>>>> Just be sure to pass all required attributes as
>>>> source. In your case, organization does not
>>>> have to be source attribute, because you are
>>>> not referencing it in the mapping expression
>>>> nor conditions.
>>>>
>>>> You can further simplify the switch statement as:
>>>>
>>>> switch (*costCenter*) {
>>>> . . .
>>>>
>>>> - no basic.stringify() is needed, because the
>>>> attribute type is String and not Polystring.
>>>> Having it there would not do any harm though.
>>>> - you can address the attribute as
>>>> "costCenter", because it's implicitly stored in
>>>> that "variable" as it is declared as source
>>>> attribute
>>>>
>>>> Hope this helps you with designing your mappings.
>>>>
>>>> Regards,
>>>> Ivan
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> *From: *"Jason Everling"
>>>> <jeverling at bshp.edu
>>>> <mailto:jeverling at bshp.edu>>
>>>> *To: *"midPoint General Discussion"
>>>> <midpoint at lists.evolveum.com
>>>> <mailto:midpoint at lists.evolveum.com>>
>>>> *Sent: *Thursday, November 6, 2014 6:00:04 PM
>>>>
>>>> *Subject: *Re: [midPoint] Account Creation,
>>>> Not Being created in AD
>>>>
>>>> Oh Ok thanks,
>>>>
>>>> Can you look at this and make sure it is
>>>> correct, if you look at the CSV User
>>>> template I had sent I had a condition for
>>>> each program, I did some more digging on
>>>> github and found a sample similar to this,
>>>>
>>>> Would the below work instead of all the
>>>> conditions for mapping,
>>>>
>>>> <mapping>
>>>> <source>
>>>> <path>$user/costCenter</path>
>>>> </source>
>>>> <source>
>>>> <path>$user/organization</path>
>>>> </source>
>>>> <expression>
>>>> <script>
>>>> <code>
>>>> tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>>> switch
>>>> (basic.stringify(user.getCostCenter())) {
>>>> case 'ASGA':
>>>> tmpOU = 'OU=AAD,' + tmpOU
>>>> break
>>>> case 'AAD':
>>>> tmpOU = 'OU=AAD,' + tmpOU
>>>> break
>>>> case 'ASHIT':
>>>> tmpOU = 'OU=AAS HIT,' + tmpOU
>>>> break
>>>> case 'BSHM':
>>>> tmpOU = 'OU=BSHM,' + tmpOU
>>>> break
>>>> case 'BSN':
>>>> tmpOU = 'OU=BSN,' + tmpOU
>>>> break
>>>> case 'ASIM':
>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>> break
>>>> case 'CT':
>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>> break
>>>> case 'MRI':
>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>> break
>>>> case 'RT':
>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>> break
>>>> case 'VT':
>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>> break
>>>> case 'SO':
>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>> break
>>>> case 'PN':
>>>> tmpOU = 'OU=DPN,' + tmpOU
>>>> break
>>>> case 'ND':
>>>> tmpOU = 'OU=DPN,' + tmpOU
>>>> break
>>>> case 'ASGT':
>>>> tmpOU = 'OU=DST,' + tmpOU
>>>> break
>>>> case 'ST':
>>>> tmpOU = 'OU=DST,' + tmpOU
>>>> break
>>>> case 'VN':
>>>> tmpOU = 'OU=DVN,' + tmpOU
>>>> break
>>>> case 'GEN':
>>>> tmpOU = 'OU=GENED,' + tmpOU
>>>> break
>>>> case 'LVRN':
>>>> tmpOU = 'OU=LVRN,' + tmpOU
>>>> break
>>>> case 'PO':
>>>> tmpOU = 'OU=PNP,' + tmpOU
>>>> break
>>>> default:
>>>> tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>>> }
>>>> return tmpOU
>>>> </code>
>>>> </script>
>>>> </expression>
>>>> <target>
>>>> <path>organization</path>
>>>> </target>
>>>> </mapping>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150220/60ed81ce/attachment.htm>
More information about the midPoint
mailing list