[midPoint] Fwd: Re: ***UNCHECKED*** Re: Account Creation, Not Being created in AD
Jason Everling
jeverling at bshp.edu
Fri Feb 20 17:11:20 CET 2015
Yes, so yesterday in my own part of trying to debug before I sent the first
reply I had set that to positive after reading up on the functions on the
wiki and it still was not working so I had changed it back.
So today, changing it to positive and then adding a new CSV user, it WORKS,
user is added to AD! It more than likely didn't work yesterday because of
the one chain mapping left over in the template.
Thank you so much for helping with this!!!
JASON
On Fri, Feb 20, 2015 at 9:53 AM, Pavol Mederly <mederly at evolveum.com> wrote:
> Hello Jason,
>
> the problem seems to be in your system configuration:
>
> Although in the exported data, there is a correct setting of:
>
> (version = 2)
> <globalAccountSynchronizationSettings>
> <assignmentPolicyEnforcement>*positive*
> </assignmentPolicyEnforcement>
> </globalAccountSynchronizationSettings>
>
> in reality as seen from the log, midPoint uses the following:
>
> (version = 12)
> globalAccountSynchronizationSettings:
>
> com.evolveum.midpoint.xml.ns._public.common.common_3.ProjectionPolicyType at 25d25ec7
> [assignmentPolicyEnforcement=*NONE*,legalize=<null>]
>
> ... and so is seen in the log later:
>
> 2015-02-20 08:54:41,698 [] [midPointScheduler_Worker-8] TRACE
> (com.evolveum.midpoint.model.impl.lens.projector.AssignmentProcessor):
> Finishing legal decision for (account (default) on
> resource:10000000-2000-3000-4000-10000000ad01(Active Directory: Office
> 365, Google Apps, Moodle)), thombstone false, enforcement mode *NONE*,
> legalize false: false -> *false*
>
> The "none" mode is a special mode, in which midPoint simply ignores all
> assignments. And as we can see here, it sets legal:=false for this account,
> and therefore not tries to create it.
>
> So I'd suggest setting assignment policy enforcement to either "positive"
> or "relative" and trying again. :-)
>
> Best regards,
> Pavol
>
>
>
>
> On 20. 2. 2015 16:06, Jason Everling wrote:
>
> Ok I must have missed that one, I removed the condition and source with
>
> <mapping>
> <expression>
> <value>
> <targetRef oid="30000000-aaaa-bbbb-0000-12345678sr01" type="c:RoleType"/>
> </value>
> </expression>
> <target>
> <path>assignment</path>
> </target>
> </mapping>
>
> I was hoping that it would work but It still does not add the account to
> AD though :( , still a lot of nulls in the logs, I attached the new logs
> again for a new user
>
> Isabel Trevino, istrevino
>
> On Fri, Feb 20, 2015 at 1:25 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>> Hello Jason,
>>
>> after studying the logs I suspect that the problem is being caused by
>> chaining of mappings in the object template "User Template 3". The related
>> issue is https://jira.evolveum.com/browse/MID-2149. (I know that you've
>> eliminated the majority of chainings -> but this one seems to be left
>> there).
>>
>> See the red-colored parts below.
>>
>> <objectTemplate xmlns=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> oid="10000000-0000-0000-0000-000000000203"
>> version="0">
>> <name>User Template 3</name>
>> ...
>> <mapping>
>> <source>
>> <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> xmlns:bshp="http://www.bshp.edu/xml/ns/public/bshp"
>> <http://www.bshp.edu/xml/ns/public/bshp>>declare namespace bshp='
>> http://www.bshp.edu/xml/ns/public/bshp';
>> $c:user/c:extension/bshp:eduPersonAffiliation</c:path>
>> </source>
>> <expression>
>> <script>
>> <code>'student'</code>
>> </script>
>> </expression>
>> <*target*>
>> <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> xmlns:bshp="http://www.bshp.edu/xml/ns/public/bshp"
>> <http://www.bshp.edu/xml/ns/public/bshp>>declare namespace bshp='
>> http://www.bshp.edu/xml/ns/public/bshp';
>> *$c:user/c:extension/bshp:eduPersonAffiliation*</c:path>
>> </target>
>> </mapping>
>>
>> * ----->*
>>
>> <mapping>
>> <*source*>
>> <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> xmlns:bshp="http://www.bshp.edu/xml/ns/public/bshp"
>> <http://www.bshp.edu/xml/ns/public/bshp>>declare namespace bshp='
>> http://www.bshp.edu/xml/ns/public/bshp';
>> *$c:user/c:extension/bshp:eduPersonAffiliation*</c:path>
>> </source>
>> <expression>
>> <assignmentTargetSearch>
>> <targetType xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >c:RoleType</targetType>
>> <oid>30000000-aaaa-bbbb-0000-12345678sr01</oid>
>> </assignmentTargetSearch>
>> </expression>
>> <target>
>> <c:path xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> >assignment</c:path>
>> </target>
>> </mapping>
>> </objectTemplate>
>>
>> In the log you can see that this result of an empty assignment of the
>> role that should give access to the AD:
>>
>> 2015-02-19 11:06:47,040 [] [midPointScheduler_Worker-10] TRACE
>> (com.evolveum.midpoint.model.common.mapping.Mapping): Mapping trace:
>> ---[ MAPPING in objectTemplate:10000000-0000-0000-0000-000000000203(User
>> Template 3)]---------------------------
>> Source: {http://www.bshp.edu/xml/ns/public/bshp}eduPersonAffiliation: *old=null,
>> delta=null, new=null*
>> Target: PCD:{.../common/common-3}assignment
>> {.../common/common-3}AssignmentType[0,-1],RAM
>> Expression: assignmentExpression
>> Condition: true -> true
>> Result: *[here should be an assignment but there's nothing there
>> because the input is 'null' (not the 'student' as one could expect) - this
>> is because of chaining]*
>>
>> Actually, in a later iteration (in the secondary phase of the clockwork
>> processing), the assignment is computed - but it is actually too late (just
>> before exiting the processing) - so it is not executed. I mean this one:
>>
>> ---[ MAPPING in objectTemplate:10000000-0000-0000-0000-000000000203(User
>> Template 3)]---------------------------
>> Source: {http://www.bshp.edu/xml/ns/public/bshp}eduPersonAffiliation: *old=null,
>> delta=PropertyDelta(extension / {http://www.bshp.edu/xml/ns/public/bshp
>> <http://www.bshp.edu/xml/ns/public/bshp>}eduPersonAffiliation, ADD),
>> new=PP({http://www.bshp.edu/xml/ns/public/bshp
>> <http://www.bshp.edu/xml/ns/public/bshp>}eduPersonAffiliation):[PPV(String:student)]*
>> Target: PCD:{.../common/common-3}assignment
>> {.../common/common-3}AssignmentType[0,-1],RAM
>> Expression: assignmentExpression
>> Condition: true -> true
>> Result: *added: id=null: 1 items *
>>
>> So, my recommendation is to remove the chaining.
>>
>> Hope this helps. :-)
>> Pavol
>>
>> On 19. 2. 2015 15:33, Jason Everling wrote:
>>
>> Here is the details,
>>
>> 1 CSV Resource
>> 1 AD Resource
>> 1 Role with inducement for AD Account
>> 1 Object Template for CSV which generates the Username and assigns the
>> role with the AD Incudement.
>>
>> I will send the exports via private email
>>
>> JASON
>>
>> On Thu, Feb 19, 2015 at 6:01 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>> Hello Jason,
>>>
>>> I would like to test this one, but I'm not sure about concrete
>>> configuration in which this occurs.
>>>
>>> Could you, please, describe the situation in more details, including
>>> your specific configurations (simplified if necessary), to allow us to
>>> reproduce this bug?
>>>
>>> Thank you,
>>> Pavol
>>>
>>> On 17. 2. 2015 16:58, Jason Everling wrote:
>>>
>>> Reviving an old bug, this is happening again, using 3.1 Release, all
>>> my other issues are gone.
>>>
>>> I can manually click the user in midPoint and run reconcile and it
>>> works or if I take the inducement out of the Role and put it as a direct
>>> assignment in the object template the account gets created properly in AD.
>>> Again, this only happens when generating the username
>>>
>>> Is there a way to maybe run a reconcile after all the processes
>>> complete, lets say after the user is created and the object templates are
>>> processed? If so then this would more than likely work, I just think it is
>>> processing the inducement before the user account in midpoint is full
>>> created will all attributes.
>>>
>>> JASON
>>>
>>> On Fri, Dec 5, 2014 at 9:13 AM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> Ok thanks for the update!
>>>>
>>>> JASON
>>>>
>>>> On Fri, Dec 5, 2014 at 2:10 AM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>> Jason,
>>>>>
>>>>> I've just tried the original iterator (User in midPoint) problem and
>>>>> it seems to be fixed in git-v3.0.1devel-703-g8c40b63.
>>>>>
>>>>> I've tested with LiveSync CSV sample from you, used user template
>>>>> either referenced from the unmatched action or global template. Username is
>>>>> generated in midPoint:
>>>>>
>>>>> (username - fullname)
>>>>> cypecienka - Cyrus Pecienka
>>>>> cypecienka2 - Cyrusov Pecienka
>>>>> cypecienka3 - Cyril Pecienka
>>>>> cypecienka4 - Cyrhoza Pecienka
>>>>>
>>>>> Please retest it once after you upgrade to 3.1 or the master snapshot.
>>>>> Thank you.
>>>>>
>>>>> Regards,
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 11/07/2014 04:23 PM, Jason Everling wrote:
>>>>>
>>>>> Thanks, it is working, like you said, will be easier to manage in the
>>>>> long run! Keep me posted on the bug fix,
>>>>>
>>>>> For now, I am just cleaning up objects and playing with other
>>>>> functions,
>>>>>
>>>>> JASON
>>>>>
>>>>> On Fri, Nov 7, 2014 at 2:56 AM, Ivan Noris <Ivan.Noris at evolveum.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Jason,
>>>>>>
>>>>>> yes you can use switch in one mapping instead of having many
>>>>>> mappings - I'm using it very often. It will be more simple to maintain.
>>>>>>
>>>>>> Just be sure to pass all required attributes as source. In your
>>>>>> case, organization does not have to be source attribute, because you are
>>>>>> not referencing it in the mapping expression
>>>>>> nor conditions.
>>>>>>
>>>>>> You can further simplify the switch statement as:
>>>>>>
>>>>>> switch (*costCenter*) {
>>>>>> . . .
>>>>>>
>>>>>> - no basic.stringify() is needed, because the attribute type is
>>>>>> String and not Polystring. Having it there would not do any harm though.
>>>>>> - you can address the attribute as "costCenter", because it's
>>>>>> implicitly stored in that "variable" as it is declared as source attribute
>>>>>>
>>>>>> Hope this helps you with designing your mappings.
>>>>>>
>>>>>> Regards,
>>>>>> Ivan
>>>>>>
>>>>>> ------------------------------
>>>>>>
>>>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>>>> *Sent: *Thursday, November 6, 2014 6:00:04 PM
>>>>>>
>>>>>> *Subject: *Re: [midPoint] Account Creation, Not Being created in AD
>>>>>>
>>>>>> Oh Ok thanks,
>>>>>>
>>>>>> Can you look at this and make sure it is correct, if you look at
>>>>>> the CSV User template I had sent I had a condition for each program, I did
>>>>>> some more digging on github and found a sample similar to this,
>>>>>>
>>>>>> Would the below work instead of all the conditions for mapping,
>>>>>>
>>>>>> <mapping>
>>>>>> <source>
>>>>>> <path>$user/costCenter</path>
>>>>>> </source>
>>>>>> <source>
>>>>>> <path>$user/organization</path>
>>>>>> </source>
>>>>>> <expression>
>>>>>> <script>
>>>>>> <code>
>>>>>> tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>>>>> switch (basic.stringify(user.getCostCenter())) {
>>>>>> case 'ASGA':
>>>>>> tmpOU = 'OU=AAD,' + tmpOU
>>>>>> break
>>>>>> case 'AAD':
>>>>>> tmpOU = 'OU=AAD,' + tmpOU
>>>>>> break
>>>>>> case 'ASHIT':
>>>>>> tmpOU = 'OU=AAS HIT,' + tmpOU
>>>>>> break
>>>>>> case 'BSHM':
>>>>>> tmpOU = 'OU=BSHM,' + tmpOU
>>>>>> break
>>>>>> case 'BSN':
>>>>>> tmpOU = 'OU=BSN,' + tmpOU
>>>>>> break
>>>>>> case 'ASIM':
>>>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>>>> break
>>>>>> case 'CT':
>>>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>>>> break
>>>>>> case 'MRI':
>>>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>>>> break
>>>>>> case 'RT':
>>>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>>>> break
>>>>>> case 'VT':
>>>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>>>> break
>>>>>> case 'SO':
>>>>>> tmpOU = 'OU=DMIT,' + tmpOU
>>>>>> break
>>>>>> case 'PN':
>>>>>> tmpOU = 'OU=DPN,' + tmpOU
>>>>>> break
>>>>>> case 'ND':
>>>>>> tmpOU = 'OU=DPN,' + tmpOU
>>>>>> break
>>>>>> case 'ASGT':
>>>>>> tmpOU = 'OU=DST,' + tmpOU
>>>>>> break
>>>>>> case 'ST':
>>>>>> tmpOU = 'OU=DST,' + tmpOU
>>>>>> break
>>>>>> case 'VN':
>>>>>> tmpOU = 'OU=DVN,' + tmpOU
>>>>>> break
>>>>>> case 'GEN':
>>>>>> tmpOU = 'OU=GENED,' + tmpOU
>>>>>> break
>>>>>> case 'LVRN':
>>>>>> tmpOU = 'OU=LVRN,' + tmpOU
>>>>>> break
>>>>>> case 'PO':
>>>>>> tmpOU = 'OU=PNP,' + tmpOU
>>>>>> break
>>>>>> default:
>>>>>> tmpOU = 'OU=SHP Students,DC=TEST,DC=LOCAL'
>>>>>> }
>>>>>> return tmpOU
>>>>>> </code>
>>>>>> </script>
>>>>>> </expression>
>>>>>> <target>
>>>>>> <path>organization</path>
>>>>>> </target>
>>>>>> </mapping>
>>>>>>
>>>>>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential;
intended for only the recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use this e-mail or any
attachments for any purpose, or disclose all or any part of the contents to
any person. Any views or opinions expressed in this e-mail are those of the
author and do not represent those of the Baptist School of Health
Professions. If you have received this e-mail in error, or are not the
named recipient(s), you are hereby notified that any review, dissemination,
distribution or copying of this communication is prohibited by the sender
and to do so might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150220/c7776a02/attachment.htm>
More information about the midPoint
mailing list