[midPoint] Found AD Sync Error, how to cleanup

Pavol Mederly mederly at evolveum.com
Thu Nov 12 22:10:45 CET 2015


Jason,

silly me... I interchanged m_user with m_shadow. Sorry for that. :(

You say that name_orig in m_shadow looks fine. But below you show that 
the name is "cn=Sam� V. Student" -> i.e. it does contain diacritics. So 
I'm a bit confused. :) What is the content of the name_orig in m_shadow 
/ m_object?

Also, the problematic can be the <icfs:name> value. It is in the table 
m_object_ext_string in column stringvalue in a row with owner_oid = 
Shadow OID and ename = 
'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3#name'. 
You could check that one as well.

Before trying to update the database directly, I would try to fix the 
name/icfs:name via debug pages (if you haven't already tried that), and 
then delete it.

If that's not possible (as I expect), I see two possible ways out:

1) fix the name/icfs:name in the database and then delete the shadow via 
repository objects functionality

or

2) directly delete the relevant records in m_shadow, m_object and 
m_object_ext_string. Hopefully I haven't left out any relevant table... 
(if yes, you'd probably get reference violation error).

Of course, directly editing/modifying the database data can be a bit 
dangerous. I'm not sure if anyone actually tried that in this way.

So, I'd prefer to be 100% sure in identifying the exact cause of the 
problem before trying to remediate it.

If you could send me (either here or in private)
1) the value m_shadow.name_orig, m_object.name_orig, 
m_object_ext_string.stringvalue for rows with corresponding oid/owner_oid,
2) the exact stack trace of the exception you get when trying to delete 
the shadow via Repository Objects,
I/we would be hopefully able to provide some hints.

Overall, as you've asked, if you would not worry about this, it should 
not be an immediate problem. However, I'm not quite sure how would the 
DB react when it would encounter such a shadow e.g. when doing a 
reconciliation or something like that. I'd expect that you would (at 
least) get some exceptions in the log, or (in the worst case) 
interruptions of tasks' executions. So I'd suggest to solve that somehow :)

Best regards,
Pavol

On 12. 11. 2015 20:25, Jason Everling wrote:
> Below is from debug and only place it exist, i changed the last names 
> and oid's on purpose
>
> <shadow xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>         
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>         
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>         oid="00000000000000000000000000000000000"
>         version="0">
>    <name>cn=Sam� V. Student,OU=Dept,OU=Students,DC=DOMAIN,DC=EDU</name>
>    <metadata>
> <createTimestamp>2015-11-12T08:21:54.668-06:00</createTimestamp>
>       <creatorRef oid="aafcf63e-4f7d-4d3a-97d6-6f6c79b89ef2" 
> type="c:UserType"><!-- jeverling --></creatorRef>
>       
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync</createChannel>
>    </metadata>
>    <resourceRef oid="10000000-2000-3000-4000-10000000ad01" 
> type="c:ResourceType"><!-- Active Directory --></resourceRef>
>  <objectClass>ri:AccountObjectClass</objectClass>
>    <kind>account</kind>
>    <intent>default</intent>
>    <iteration>0</iteration>
>    <iterationToken/>
>    <attributes>
> <icfs:uid><GUID=12345678910111213456677></icfs:uid>
>       <icfs:name>cn=sam� v. 
> student,ou=dept,ou=students,dc=domain,dc=edu</icfs:name>
>    </attributes>
>    <activation>
> <administrativeStatus>enabled</administrativeStatus>
> <enableTimestamp>2015-11-12T08:21:54.281-06:00</enableTimestamp>
>    </activation>
> </shadow>
>
> JASON
>
> On Thu, Nov 12, 2015 at 1:21 PM, Jason Everling <jeverling at bshp.edu 
> <mailto:jeverling at bshp.edu>> wrote:
>
>     I checked the m_user, does not exist, probably because I deleted
>     in gui,
>
>     m_shadow does not have diacritic, name_norm and name_orig look fine
>
>     m_object also does not have the diacritic either
>
>     I don't know where else to look, would it hurt anything if I do
>     not worry about?
>
>     JASON
>
>     JASON
>
>     On Thu, Nov 12, 2015 at 1:03 PM, Jason Everling
>     <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>
>         Yeah it is in the shadow and the only attributes are <name>,
>         <icfs:name>, <icfs:uid>
>
>         After I update using sql statements I should be able to delete it?
>
>         Thanks Ivan, ill see what I come up with
>
>         JASON
>
>         JASON
>
>         On Thu, Nov 12, 2015 at 12:22 PM, Pavol Mederly
>         <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>
>             Ivo,
>
>             the error actually comes from the repository; even if it
>             is invoked by the provisioning (as it deals with shadows).
>
>             I'm afraid it would be necessary to do some SQL magic :|
>             Something like (writing from my head, hope it would work)
>
>             update m_user set givenname_orig = 'x' where oid='y'
>
>             (provided the problem is in given name, not in name itself
>             - in that case it would be necessary to update name_orig
>             in m_user and m_object tables as well.
>
>             Pavol
>
>>             You can use something like:
>>
>>             basic.norm(basic.stringify(givenName))?.replaceAll(/\w+/,
>>             { it[0].toUpperCase() + ((it.size() > 1) ? it[1..-1] :
>>             '') } )?.replace(' ', '')
>>
>>             (this was not invented by me)
>>
>>             Regarding the error - it's strange. AFAIK debug pages are
>>             not using provisioning, and this error seems to come from
>>             provisioning. I don't understand this...
>>
>>             Ivan
>>
>>             On 11/12/2015 06:37 PM, Jason Everling wrote:
>>>             I had my username geenration using that format but I
>>>             need to do that also for the regular givenName and
>>>             familyName attributes,
>>>
>>>             Which function removes the diacritics while preserving
>>>             the first letter uppercase?
>>>
>>>             I was able to delete the user from the GUI but it got an
>>>             error afterwards while trying to remove the shadow. The
>>>             user is gone in the gui users list but in the debug
>>>             pages shadow I can still see the old shadow. When trying
>>>             to delete from the debug side is where i get there
>>>             error. I attached a screenshot of the error
>>>
>>>             JASON
>>>
>>>             On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris
>>>             <ivan.noris at evolveum.com
>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>                 Hi Jason,
>>>
>>>                 I always use basic.norm because our language has
>>>                 many diacritic characters unsuitable for most systems...
>>>
>>>                 Example from my object template for Users:
>>>                 (mapping, where user/givenName and user/familyName
>>>                 are sources)
>>>
>>>                 tmpGivenName =
>>>                 basic.norm(basic.stringify(givenName))?.tr(' ', '.')
>>>                 tmpFamilyName =
>>>                 basic.norm(basic.stringify(familyName))?.tr(' ', '.')
>>>                 return tmpGivenName + '.' + tmpFamilyName +
>>>                 iterationToken
>>>
>>>                 (everything is "normalized", diacritic characters
>>>                 replaced by ASCII, spaces are then replaced by dot
>>>                 (because basic.norm returns spaces as well)
>>>
>>>                 Regarding deleting shadow: how are you trying to
>>>                 delete it and what error you get? Are you deleting
>>>                 from "normal" GUI (editing user) or in Repository
>>>                 objects GUI?
>>>
>>>                 Regards,
>>>                 Ivan
>>>
>>>
>>>                 On 11/12/2015 05:49 PM, Jason Everling wrote:
>>>>                 Ohhh, I need to use the basic. functions when
>>>>                 importing the first and last names so that the
>>>>                 diacritics are removed,
>>>>
>>>>                 Now I just need to get the old shadow deleted from
>>>>                 midpoint, it doesn't let me?
>>>>
>>>>                 JASON
>>>>
>>>>                 On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling
>>>>                 <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>>>
>>>>                     It was because a name had a ~ symbol above the
>>>>                     last letter in their first name, I had to
>>>>                     manually delete from AD and fix in our system.
>>>>
>>>>                     I cannot delete the AD shadow from midpoint
>>>>
>>>>                     Or how can my user creation template remove
>>>>                     these values, I attached a screenshot of what
>>>>                     it looks like.
>>>>
>>>>
>>>>
>>>>                     -- 
>>>>                     JASON
>>>>
>>>>
>>>>
>>>>
>>>>                 -- 
>>>>                 JASON
>>>>
>>>>
>>>>
>>>>                 CONFIDENTIALITY NOTICE:
>>>>                 This e-mail together with any attachments is
>>>>                 proprietary and confidential; intended for only the
>>>>                 recipient(s) named above and may contain
>>>>                 information that is privileged. You should not
>>>>                 retain, copy or use this e-mail or any attachments
>>>>                 for any purpose, or disclose all or any part of the
>>>>                 contents to any person. Any views or opinions
>>>>                 expressed in this e-mail are those of the author
>>>>                 and do not represent those of the Baptist School of
>>>>                 Health Professions. If you have received this
>>>>                 e-mail in error, or are not the named recipient(s),
>>>>                 you are hereby notified that any review,
>>>>                 dissemination, distribution or copying of this
>>>>                 communication is prohibited by the sender and to do
>>>>                 so might constitute a violation of the Electronic
>>>>                 Communications Privacy Act, 18 U.S.C. section
>>>>                 2510-2521. Please immediately notify the sender and
>>>>                 delete this e-mail and any attachments from your
>>>>                 computer.
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com
>>>>                 <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>                 -- 
>>>                    Ing. Ivan Noris
>>>                    Senior Identity Management Engineer & IDM Architect
>>>                    evolveum.com <http://evolveum.com>                      evolveum.com/blog/ <http://evolveum.com/blog/>
>>>                    ___________________________________________________
>>>                    "Semper Id(e)M Vix."
>>>
>>>
>>>                 _______________________________________________
>>>                 midPoint mailing list
>>>                 midPoint at lists.evolveum.com
>>>                 <mailto:midPoint at lists.evolveum.com>
>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>             -- 
>>>             JASON
>>>
>>>
>>>
>>>             CONFIDENTIALITY NOTICE:
>>>             This e-mail together with any attachments is proprietary
>>>             and confidential; intended for only the recipient(s)
>>>             named above and may contain information that is
>>>             privileged. You should not retain, copy or use this
>>>             e-mail or any attachments for any purpose, or disclose
>>>             all or any part of the contents to any person. Any views
>>>             or opinions expressed in this e-mail are those of the
>>>             author and do not represent those of the Baptist School
>>>             of Health Professions. If you have received this e-mail
>>>             in error, or are not the named recipient(s), you are
>>>             hereby notified that any review, dissemination,
>>>             distribution or copying of this communication is
>>>             prohibited by the sender and to do so might constitute a
>>>             violation of the Electronic Communications Privacy Act,
>>>             18 U.S.C. section 2510-2521. Please immediately notify
>>>             the sender and delete this e-mail and any attachments
>>>             from your computer.
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>             -- 
>>                Ing. Ivan Noris
>>                Senior Identity Management Engineer & IDM Architect
>>                evolveum.com <http://evolveum.com>                      evolveum.com/blog/ <http://evolveum.com/blog/>
>>                ___________________________________________________
>>                "Semper Id(e)M Vix."
>>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>             _______________________________________________
>             midPoint mailing list
>             midPoint at lists.evolveum.com
>             <mailto:midPoint at lists.evolveum.com>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151112/7db375da/attachment.htm>


More information about the midPoint mailing list