[midPoint] Still disabling User's GUI accounts! I cannot figure this out..

Jason Everling jeverling at bshp.edu
Wed Oct 7 17:32:58 CEST 2015 

I was trying to figure this out this morning so the values have changed
since it was last set since I re enabled the persons account in the gui, so
it is the way it should be now , I meant to capture that before I modified
it but I forgot :( I will have to capture that the next time it happens

Is there a way to narrow this filter so that it only sends if a resource
object is disabled?

      <handler>
         <expressionFilter>
            <script>
               <code>
        event.isRelatedToItem(new
com.evolveum.midpoint.prism.path.ItemPath("activation",
"administrativeStatus")) &&
basic.getExtensionPropertyValue(requestee, '
http://www.bshp.edu/xml/ns/public/bshp', 'eduPersonAffiliation') ==
'student'
                </code>
            </script>
         </expressionFilter>

I checked the AD Connector logs, and at exactly that time, and nothing
happened before that time, the persons group memberships were modified,

ConnectorServer.exe Information 0 Creating case insensitive filter 2015-10-06
22:21:55Z
ActiveDirectoryConnector.Api Information 1 ExecuteQuery starting, query =
(member=CN=User Modified,OU=DEPT,OU=Students,DC=CHANGED,DC=EDU) 2015-10-06
22:21:55Z
ActiveDirectoryConnector Verbose 1 AD.ExecuteQueryInternal: modifying
query; attributesToReturn = cn, samAccountName, description, displayName,
managedBy, mail, info, groupType, objectClass, member, uSNChanged,
uSNCreated, whenChanged, whenCreated, ad_container, __DESCRIPTION__,
__SHORT_NAME__, __NAME__, __UID__ 2015-10-06 22:21:55Z
ActiveDirectoryConnector Verbose 1 Setting search string to
'(&(objectclass=Group)(member=CN=User
Modified,OU=DEPT,OU=Students,DC=CHANGED,DC=EDU))' 2015-10-06 22:21:55Z
ActiveDirectoryConnector Verbose 1 Search: Performing query 2015-10-06
22:21:55Z
ActiveDirectoryConnector Verbose 1 searcher.FindAll took 00:00:00.005
2015-10-06
22:21:55Z
ActiveDirectoryConnector Verbose 1 Found object LDAP://
dc1.changed.edu/CN=CHANGED1,OU=Students,DC=CHANGED,DC=EDU 2015-10-06
22:21:55Z
ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
ToString (Name: 'whenChanged'(0) Type: 'System.DateTime' String Value:
'8/28/2015 7:56:13 PM' 2015-10-06 22:21:55Z
ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
ToString (Name: 'whenCreated'(0) Type: 'System.DateTime' String Value:
'10/6/2009 7:08:43 PM' 2015-10-06 22:21:55Z
ActiveDirectoryConnector.Api Verbose 1 Returning ''LDAP://
dc1.changed.edu/CN=CHANGED1,OU=Students,DC=CHANGED,DC=EDU'', in 92 ms
2015-10-06
22:21:55Z
ActiveDirectoryConnector Verbose 1 Found object LDAP://
dc1.changed.edu/CN=CHANGED2,OU=Groups,OU=Exchange,DC=CHANGED,DC=EDU 2015-10-06
22:21:55Z
ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
ToString (Name: 'whenChanged'(0) Type: 'System.DateTime' String Value:
'10/2/2015 7:15:07 AM' 2015-10-06 22:21:55Z
ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
ToString (Name: 'whenCreated'(0) Type: 'System.DateTime' String Value:
'1/4/2013 7:50:41 PM' 2015-10-06 22:21:55Z

On Wed, Oct 7, 2015 at 9:50 AM, Pavol Mederly <mederly at evolveum.com> wrote:

> Hello Jason,
>
> and what's the current content of the <activation> and <metadata> sections
> of that user?
>
> Pavol
>
> ------------------------------
> *From: *"Jason Everling" <jeverling at bshp.edu>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Wednesday, October 7, 2015 4:23:02 PM
> *Subject: *[midPoint] Still disabling User's GUI accounts! I cannot
> figure        this out..
>
>
> At 5:21pm yesterday this persons GUI account was disabled, firing off the
> account disabled notification, but the account should not have been
> disabled, I have no mappings for any resource that disables an account
> except for when users are removed from CSV which the user still exists.
>
> I have NO tasks or recons that happen at that time or even close to that
> time, so all of a sudden at 5:21 their account was disabled? I cannot
> figure out why, in the audit logs it just has
>
> [ObjectDeltaOperation(ObjectDelta(UserType:000010101010101010101010,MODIFY:
> PropertyDelta(activation / {.../common/common-3}administrativeStatus,
> REPLACE), PropertyDelta(activation / {.../common/common-3}effectiveStatus,
> REPLACE), PropertyDelta(activation / {.../common/common-3}enableTimestamp,
> REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyChannel,
> REPLACE),
>
> Does the admin/effective status that is in the roles and orgs have
> anything to do with it?
>
> --
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 
JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151007/fea7043e/attachment.htm>

More information about the midPoint mailing list