[midPoint] Running into issue with previous users
Ivan Noris
ivan.noris at evolveum.com
Fri Oct 16 23:08:03 CEST 2015
.. and how midpoint runs the "Disabled Students Template 1" and "Enable
Student Template 1"? (Where?)
Ivan
On 10/16/2015 11:04 PM, Jason Everling wrote:
> The user is disabled once they are removed from the CSV resource, the
> CSV resource only contains active users. A template disables their
> account and set the OU path just like the enable one which I pasted
> below.
>
> Yes, assigning an Org will cause icfs:name to be modified in AD to
> move them into the correct ou's in AD.
>
> If you are meaning the Org Template/Meta Role, they are assigned
> automatically using the system default org template.
>
> There are not any roles currently assigned to a user that controls
> enabled/disabled. It just happens automatically when they are either
> added or removed from CSV.
>
> jason
>
> On Fri, Oct 16, 2015 at 3:58 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Jason,
>
> some more questions to understand.
>
> What is the "lifecycle" of the user?
>
> Assigning role will cause icfs:name generation for the correct OU.
>
> Are such roles assigned manually?
>
> Is the role for "DISABLED" users also assigned manually when user
> leaves?
>
> Has the user which we are speaking of, still assigned that
> "DISABLED" role?
>
> Thanks,
> Ivan
>
>
> On 10/16/2015 10:47 PM, Jason Everling wrote:
>> Ok so that makes a little more sense,
>>
>> The meta role is used so that when a user is created in the "GUI"
>> and is assigned an Org, they will then be created in AD in the
>> same Org. This is that we do not have manually type out the
>> entire OU Path.
>>
>> Here is the role,
>>
>> <name>Metarole for Orgs</name>
>> <description>
>> This MetaRole will add the current assigned organization
>> to the organization attribute.
>> </description>
>> <metadata>
>>
>> <createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp>
>> <creatorRef oid="00000000-0000-0000-0000-000000000002"
>> type="c:UserType"><!-- administrator --></creatorRef>
>>
>> <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
>> </metadata>
>> <inducement id="1">
>> <focusMappings>
>> <mapping>
>> <source>
>> <c:path>$immediateRole/name</c:path>
>> </source>
>> <target>
>> <c:path>$focus/organization</c:path>
>> </target>
>> </mapping>
>> </focusMappings>
>> <order>2</order>
>> </inducement>
>> </role>
>>
>> What would you recommend I try?
>>
>> On Fri, Oct 16, 2015 at 3:39 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Jason,
>>
>> Pavol and I are looking into the logs.
>>
>> It seems that the user has assigned organization
>> OU=_DISABLED,OU=SHP Students,DC=TEST,DC=LOCAL, oid
>> cce5ec38-5246-4368-9e7b-6b049e01ef4d, which sets the
>> attribute "organization" (using the metarole).
>>
>> Additionally, the user template you posted, also sets the
>> attribute "organization", so after processing, user has TWO
>> values of organization attribute and this eventually fails in
>> mapping for (AD) icfs:name.
>>
>> How is the first role assigned and why it's kept assigned..?
>>
>> Regards,
>> Ivan
>>
>>
>> On 10/16/2015 09:55 PM, Jason Everling wrote:
>>> But the users do not have 2 "organizations in their profile,
>>> they end up with only 1,
>>>
>>> doesn't the "authoritive" flag ensure that only one value
>>> exists for any multi value attribute?
>>>
>>> I attached the template that kicks off when a user is added
>>> back to CSV
>>>
>>> JASON
>>>
>>> On Fri, Oct 16, 2015 at 2:52 PM, Jason Everling
>>> <jeverling at bshp.edu <mailto:jeverling at bshp.edu>> wrote:
>>>
>>> So yes, during the re adding of the user, a template
>>> kicks off, which all it does, is add back their original
>>> organization based on costCenter, which then causes them
>>> to be enabled and moved in into another AD container.
>>>
>>> On Fri, Oct 16, 2015 at 2:50 PM, Ivan Noris
>>> <ivan.noris at evolveum.com
>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>> This is strange.
>>>
>>> The two values have the same initial, so I start to
>>> believe that the two values are produced by
>>> "organization" attribute.
>>>
>>> Can you please check if this user has one or two
>>> values of user/organization? One seems to be
>>> "OU=DISABLED..."
>>>
>>> I.
>>>
>>> On 10/16/2015 09:02 PM, Jason Everling wrote:
>>>> Here is the situation,
>>>>
>>>> I am running into a issue, if the user in the CSV
>>>> has a middle initial that was not there before and
>>>> does not have that value in AD then I get an error,
>>>>
>>>> Attempt to replace 2 values to a single-valued item
>>>> attributes/name; values: [PPV(String:cn=Charlie K.
>>>> Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL),
>>>> PPV(String:cn=Charlie K.
>>>> Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL)]
>>>>
>>>> The above users original "name" in AD is
>>>> cn=Charlie
>>>> Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL
>>>>
>>>> So when they are added to CSV with a middle initial
>>>> it is trying to build the new name like in the
>>>> first example and fails.
>>>>
>>>> My AD DN code is,
>>>>
>>>> if (additionalName == null) {
>>>> return 'cn='+givenName+'
>>>> '+familyName+iterationToken+','+organization+'';
>>>> } else {
>>>> return 'cn='+givenName+' '+additionalName+'.
>>>> '+familyName+iterationToken+','+organization+'';
>>>> }
>>>>
>>>>
>>>> --
>>>> JASON
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is
>>>> proprietary and confidential; intended for only the
>>>> recipient(s) named above and may contain
>>>> information that is privileged. You should not
>>>> retain, copy or use this e-mail or any attachments
>>>> for any purpose, or disclose all or any part of the
>>>> contents to any person. Any views or opinions
>>>> expressed in this e-mail are those of the author
>>>> and do not represent those of the Baptist School of
>>>> Health Professions. If you have received this
>>>> e-mail in error, or are not the named recipient(s),
>>>> you are hereby notified that any review,
>>>> dissemination, distribution or copying of this
>>>> communication is prohibited by the sender and to do
>>>> so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section
>>>> 2510-2521. Please immediately notify the sender and
>>>> delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer & IDM Architect
>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>> ___________________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> --
>>> JASON
>>>
>>>
>>>
>>>
>>> --
>>> JASON
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above
>>> and may contain information that is privileged. You should
>>> not retain, copy or use this e-mail or any attachments for
>>> any purpose, or disclose all or any part of the contents to
>>> any person. Any views or opinions expressed in this e-mail
>>> are those of the author and do not represent those of the
>>> Baptist School of Health Professions. If you have received
>>> this e-mail in error, or are not the named recipient(s), you
>>> are hereby notified that any review, dissemination,
>>> distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of
>>> the Electronic Communications Privacy Act, 18 U.S.C. section
>>> 2510-2521. Please immediately notify the sender and delete
>>> this e-mail and any attachments from your computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer & IDM Architect
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> ___________________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> --
>> JASON
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and
>> may contain information that is privileged. You should not
>> retain, copy or use this e-mail or any attachments for any
>> purpose, or disclose all or any part of the contents to any
>> person. Any views or opinions expressed in this e-mail are those
>> of the author and do not represent those of the Baptist School of
>> Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any
>> review, dissemination, distribution or copying of this
>> communication is prohibited by the sender and to do so might
>> constitute a violation of the Electronic Communications Privacy
>> Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>> sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> ___________________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151016/9dbb3564/attachment.htm>
More information about the midPoint
mailing list