[midPoint] Running into issue with previous users

Ivan Noris ivan.noris at evolveum.com
Fri Oct 16 22:58:52 CEST 2015


Hi Jason,

some more questions to understand.

What is the "lifecycle" of the user?

Assigning role will cause icfs:name generation for the correct OU.

Are such roles assigned manually?

Is the role for "DISABLED" users also assigned manually when user leaves?

Has the user which we are speaking of, still assigned that "DISABLED" role?

Thanks,
Ivan

On 10/16/2015 10:47 PM, Jason Everling wrote:
> Ok so that makes a little more sense,
>
> The meta role is used so that when a user is created in the "GUI" and
> is assigned an Org, they will then be created in AD in the same Org.
> This is that we do not have manually type out the entire OU Path.
>
> Here is the role,
>
>    <name>Metarole for Orgs</name>
>    <description>
>         This MetaRole will add the current assigned organization to
> the organization attribute.
>     </description>
>    <metadata>
>       <createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp>
>       <creatorRef oid="00000000-0000-0000-0000-000000000002"
> type="c:UserType"><!-- administrator --></creatorRef>
>      
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
>    </metadata>
>    <inducement id="1">
>       <focusMappings>
>          <mapping>
>             <source>
>                <c:path>$immediateRole/name</c:path>
>             </source>
>             <target>
>                <c:path>$focus/organization</c:path>
>             </target>
>          </mapping>
>       </focusMappings>
>       <order>2</order>
>    </inducement>
> </role>
>
> What would you recommend I try?
>
> On Fri, Oct 16, 2015 at 3:39 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Jason,
>
>     Pavol and I are looking into the logs.
>
>     It seems that the user has assigned organization
>     OU=_DISABLED,OU=SHP Students,DC=TEST,DC=LOCAL, oid
>     cce5ec38-5246-4368-9e7b-6b049e01ef4d, which sets the attribute
>     "organization" (using the metarole).
>
>     Additionally, the user template you posted, also sets the
>     attribute "organization", so after processing, user has TWO values
>     of organization attribute and this eventually fails in mapping for
>     (AD) icfs:name.
>
>     How is the first role assigned and why it's kept assigned..?
>
>     Regards,
>     Ivan
>
>
>     On 10/16/2015 09:55 PM, Jason Everling wrote:
>>     But the users do not have 2 "organizations in their profile, they
>>     end up with only 1,
>>
>>     doesn't the "authoritive" flag ensure that only one value exists
>>     for any multi value attribute?
>>
>>     I attached the template that kicks off when a user is added back
>>     to CSV
>>
>>     JASON
>>
>>     On Fri, Oct 16, 2015 at 2:52 PM, Jason Everling
>>     <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>
>>         So yes, during the re adding of the user, a template kicks
>>         off, which all it does, is add back their original
>>         organization based on costCenter, which then causes them to
>>         be enabled and moved in into another AD container.
>>
>>         On Fri, Oct 16, 2015 at 2:50 PM, Ivan Noris
>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>             This is strange.
>>
>>             The two values have the same initial, so I start to
>>             believe that the two values are produced by
>>             "organization" attribute.
>>
>>             Can you please check if this user has one or two values
>>             of user/organization? One seems to be "OU=DISABLED..."
>>
>>             I.
>>
>>             On 10/16/2015 09:02 PM, Jason Everling wrote:
>>>             Here is the situation,
>>>
>>>             I am running into a issue, if the user in the CSV has a
>>>             middle initial that was not there before and does not
>>>             have that value in AD then I get an error,
>>>
>>>             Attempt to replace 2 values to a single-valued item
>>>             attributes/name; values: [PPV(String:cn=Charlie K.
>>>             Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL),
>>>             PPV(String:cn=Charlie K.
>>>             Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL)]
>>>
>>>             The above users original "name" in AD is
>>>             cn=Charlie
>>>             Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL
>>>
>>>             So when they are added to CSV with a middle initial it
>>>             is trying to build the new name like in the first
>>>             example and fails.
>>>
>>>             My AD DN code is,
>>>
>>>             if (additionalName == null) {
>>>             return 'cn='+givenName+'
>>>             '+familyName+iterationToken+','+organization+'';
>>>             } else {
>>>             return 'cn='+givenName+' '+additionalName+'.
>>>             '+familyName+iterationToken+','+organization+'';
>>>             }
>>>
>>>
>>>             -- 
>>>             JASON
>>>
>>>
>>>
>>>             CONFIDENTIALITY NOTICE:
>>>             This e-mail together with any attachments is proprietary
>>>             and confidential; intended for only the recipient(s)
>>>             named above and may contain information that is
>>>             privileged. You should not retain, copy or use this
>>>             e-mail or any attachments for any purpose, or disclose
>>>             all or any part of the contents to any person. Any views
>>>             or opinions expressed in this e-mail are those of the
>>>             author and do not represent those of the Baptist School
>>>             of Health Professions. If you have received this e-mail
>>>             in error, or are not the named recipient(s), you are
>>>             hereby notified that any review, dissemination,
>>>             distribution or copying of this communication is
>>>             prohibited by the sender and to do so might constitute a
>>>             violation of the Electronic Communications Privacy Act,
>>>             18 U.S.C. section 2510-2521. Please immediately notify
>>>             the sender and delete this e-mail and any attachments
>>>             from your computer.
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>             -- 
>>               Ing. Ivan Noris
>>               Senior Identity Management Engineer & IDM Architect
>>               evolveum.com <http://evolveum.com>                     evolveum.com/blog/ <http://evolveum.com/blog/>
>>               ___________________________________________________
>>               "Semper Id(e)M Vix."
>>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>         -- 
>>         JASON
>>
>>
>>
>>
>>     -- 
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer & IDM Architect
>       evolveum.com <http://evolveum.com>                     evolveum.com/blog/ <http://evolveum.com/blog/>
>       ___________________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> -- 
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151016/00aa1962/attachment.htm>


More information about the midPoint mailing list