[midPoint] Still disabling User's GUI accounts! I cannot figure this out..

Jason Everling jeverling at bshp.edu
Wed Oct 7 17:51:27 CEST 2015


So strange, I looked some more, at 11:00pm my recon task kicked off which
just has outbound mappings, no activation at all in the resource, and it
replaced effectiveStatus and disabledStatus,

Does a recon task normally disable accounts with no mappings defined for
activation?

06.10.15, 23:00:00 user:111111(user1) RECONCILIATION REQUEST
(resource:20000000-3000-4000-5000-10000000db12(Synchronization:
Address Management))

06.10.15, 23:00:54 user:111111(user1) MODIFY_OBJECT REQUEST
(user:122222222(usermodified))

06.10.15, 23:00:55 user:111111(user1) MODIFY_OBJECT EXECUTION
(user:122222222(usermodified)) SUCCESS
[ObjectDeltaOperation(ObjectDelta(UserType:1222222222,MODIFY:
PropertyDelta(activation / {.../common/common-3}administrativeStatus,
REPLACE), PropertyDelta(activation / {/common/common-3}effectiveStatus,
REPLACE), PropertyDelta(activation / {.../common/common-3}disableTimestamp,
REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyChannel,
REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyTimestamp,
REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifierRef,
REPLACE)):
R(com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta SUCCESS
null))]














On Wed, Oct 7, 2015 at 10:32 AM, Jason Everling <jeverling at bshp.edu> wrote:

> I was trying to figure this out this morning so the values have changed
> since it was last set since I re enabled the persons account in the gui, so
> it is the way it should be now , I meant to capture that before I modified
> it but I forgot :( I will have to capture that the next time it happens
>
> Is there a way to narrow this filter so that it only sends if a resource
> object is disabled?
>
>       <handler>
>          <expressionFilter>
>             <script>
>                <code>
>         event.isRelatedToItem(new
> com.evolveum.midpoint.prism.path.ItemPath("activation",
> "administrativeStatus")) &&
> basic.getExtensionPropertyValue(requestee, '
> http://www.bshp.edu/xml/ns/public/bshp', 'eduPersonAffiliation') ==
> 'student'
>                 </code>
>             </script>
>          </expressionFilter>
>
> I checked the AD Connector logs, and at exactly that time, and nothing
> happened before that time, the persons group memberships were modified,
>
> ConnectorServer.exe Information 0 Creating case insensitive filter 2015-10-06
> 22:21:55Z
> ActiveDirectoryConnector.Api Information 1 ExecuteQuery starting, query =
> (member=CN=User Modified,OU=DEPT,OU=Students,DC=CHANGED,DC=EDU) 2015-10-06
> 22:21:55Z
> ActiveDirectoryConnector Verbose 1 AD.ExecuteQueryInternal: modifying
> query; attributesToReturn = cn, samAccountName, description, displayName,
> managedBy, mail, info, groupType, objectClass, member, uSNChanged,
> uSNCreated, whenChanged, whenCreated, ad_container, __DESCRIPTION__,
> __SHORT_NAME__, __NAME__, __UID__ 2015-10-06 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Setting search string to
> '(&(objectclass=Group)(member=CN=User
> Modified,OU=DEPT,OU=Students,DC=CHANGED,DC=EDU))' 2015-10-06 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Search: Performing query 2015-10-06
> 22:21:55Z
> ActiveDirectoryConnector Verbose 1 searcher.FindAll took 00:00:00.005 2015-10-06
> 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Found object LDAP://
> dc1.changed.edu/CN=CHANGED1,OU=Students,DC=CHANGED,DC=EDU 2015-10-06
> 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
> ToString (Name: 'whenChanged'(0) Type: 'System.DateTime' String Value:
> '8/28/2015 7:56:13 PM' 2015-10-06 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
> ToString (Name: 'whenCreated'(0) Type: 'System.DateTime' String Value:
> '10/6/2009 7:08:43 PM' 2015-10-06 22:21:55Z
> ActiveDirectoryConnector.Api Verbose 1 Returning ''LDAP://
> dc1.changed.edu/CN=CHANGED1,OU=Students,DC=CHANGED,DC=EDU'', in 92 ms 2015-10-06
> 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Found object LDAP://
> dc1.changed.edu/CN=CHANGED2,OU=Groups,OU=Exchange,DC=CHANGED,DC=EDU 2015-10-06
> 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
> ToString (Name: 'whenChanged'(0) Type: 'System.DateTime' String Value:
> '10/2/2015 7:15:07 AM' 2015-10-06 22:21:55Z
> ActiveDirectoryConnector Verbose 1 Unsupported attribute type ... calling
> ToString (Name: 'whenCreated'(0) Type: 'System.DateTime' String Value:
> '1/4/2013 7:50:41 PM' 2015-10-06 22:21:55Z
>
> On Wed, Oct 7, 2015 at 9:50 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>> Hello Jason,
>>
>> and what's the current content of the <activation> and <metadata>
>> sections of that user?
>>
>> Pavol
>>
>> ------------------------------
>> *From: *"Jason Everling" <jeverling at bshp.edu>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Wednesday, October 7, 2015 4:23:02 PM
>> *Subject: *[midPoint] Still disabling User's GUI accounts! I cannot
>> figure        this out..
>>
>>
>> At 5:21pm yesterday this persons GUI account was disabled, firing off the
>> account disabled notification, but the account should not have been
>> disabled, I have no mappings for any resource that disables an account
>> except for when users are removed from CSV which the user still exists.
>>
>> I have NO tasks or recons that happen at that time or even close to that
>> time, so all of a sudden at 5:21 their account was disabled? I cannot
>> figure out why, in the audit logs it just has
>>
>> [ObjectDeltaOperation(ObjectDelta(UserType:000010101010101010101010,MODIFY:
>> PropertyDelta(activation / {.../common/common-3}administrativeStatus,
>> REPLACE), PropertyDelta(activation / {.../common/common-3}effectiveStatus,
>> REPLACE), PropertyDelta(activation / {.../common/common-3}enableTimestamp,
>> REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyChannel,
>> REPLACE),
>>
>> Does the admin/effective status that is in the roles and orgs have
>> anything to do with it?
>>
>> --
>> JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
> JASON
>



-- 
JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151007/be1b5496/attachment.htm>


More information about the midPoint mailing list