[midPoint] Running into issue with previous users
Jason Everling
jeverling at bshp.edu
Sun Oct 18 01:39:29 CEST 2015
And a little more testing,
I can add a user back to CSV and in the same situation from my very first
email, now has a middle initial in CSV, The default system template builds
the fullname with their middle initial so it ends being Charlie K. Brown
now but even with the below on the AD resource
<code>
'cn='+fullName+iterationToken+','+organization+'';
</code>
The users DN is cn=Charlie Brown,etc.
Notice when the user is added back and enabled in midpoint, their middle
initial never makes it into their fullName or in the DN. The GUI shows
Charlie K. Brown for the fullname attribute. It actually took a few
seconds, maybe 10 seconds, to add their middle initial to the users
fullname in midpoint. That is 10 seconds AFTER the user is enabled and the
DN is built and user has been synchronized into AD.
JASON
On Sat, Oct 17, 2015 at 6:17 PM, Jason Everling <jeverling at bshp.edu> wrote:
> I did some testing this weekend, even removing the org template/meta role
> and anything else that dynamically assigns an org, so I added everything
> back and changed the AD resource DN.
>
> It has to have something to do with the way this script is evaluated,
>
> <expression>
> <script>
> <language>
> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
> </language>
> <code>
> if (additionalName == null) {
> return 'cn='+givenName+' '+familyName+iterationToken+','+organization+'';
> } else {
> return 'cn='+givenName+' '+additionalName+'.
> '+familyName+iterationToken+','+organization+'';
> }
> </code>
> </script>
> </expression>
>
> So that above it errors out,
>
> But if I change it to the below it works just fine, even with people that
> currently have a initial in their DN like
>
> cn=John D. Doe,ou=DISABLED,ou=Students,dc=Test,dc=local
>
> And when I add them back to CSV it successfully completes and changes
> their DN without their initial like
>
> cn=John Doe,ou=Dept,ou=Users,ou=Students,dc=Test,dc=local
>
> <expression>
> <script>
> <language>
> http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
> </language>
> <code>
> 'cn='+givenName+' '+familyName+iterationToken+','+organization+'';
> </code>
> </script>
> </expression>
>
> Maybe it is the way it is interpreting the IF ELSE?
>
> JASON
>
> On Fri, Oct 16, 2015 at 4:59 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> Ok thanks for looking at it,
>>
>> I am going to see what happens if I move it from the multi-valued
>> attribute organization to a custom created single-valued attribute.
>>
>> All in all it works great, has been running, enabling/disabling accounts
>> for weeks now, I just ran into this!
>>
>> JASON
>>
>> On Fri, Oct 16, 2015 at 4:39 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>> Hi Jason,
>>>
>>> now I understand the circumstances, thank you.
>>>
>>> I don't have a solution handy though. (I have not used such combination
>>> in my projects yet.) We will try to come up with something.
>>>
>>> I think that the authoritative mapping does not help here, because only
>>> one of the templates is executed - so the "old" value is not removed and
>>> user ends up with two values. So maybe the mechanisms how you connect the
>>> events from CSV to midPoint would require slight redesign of your solution.
>>>
>>> Best regards and have a nice weekend.
>>> Ivan
>>>
>>>
>>> On 10/16/2015 11:13 PM, Jason Everling wrote:
>>>
>>> Oh, within the resource synchronization situations,
>>>
>>> <reaction>
>>> <situation>deleted</situation>
>>> <objectTemplateRef
>>> oid="10000000-0000-0000-0000-000000000301"/>
>>> <action ref="
>>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus
>>> "/>
>>> </reaction>
>>> <reaction>
>>> <situation>unlinked</situation>
>>> <objectTemplateRef
>>> oid="10000000-0000-0000-0000-000000000302"/>
>>> <action ref="
>>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount"/>
>>> </reaction>
>>>
>>>
>>>
>>> On Fri, Oct 16, 2015 at 4:08 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>> .. and how midpoint runs the "Disabled Students Template 1" and "Enable
>>>> Student Template 1"? (Where?)
>>>>
>>>> Ivan
>>>>
>>>>
>>>> On 10/16/2015 11:04 PM, Jason Everling wrote:
>>>>
>>>> The user is disabled once they are removed from the CSV resource, the
>>>> CSV resource only contains active users. A template disables their account
>>>> and set the OU path just like the enable one which I pasted below.
>>>>
>>>> Yes, assigning an Org will cause icfs:name to be modified in AD to move
>>>> them into the correct ou's in AD.
>>>>
>>>> If you are meaning the Org Template/Meta Role, they are assigned
>>>> automatically using the system default org template.
>>>>
>>>> There are not any roles currently assigned to a user that controls
>>>> enabled/disabled. It just happens automatically when they are either added
>>>> or removed from CSV.
>>>>
>>>> jason
>>>>
>>>> On Fri, Oct 16, 2015 at 3:58 PM, Ivan Noris < <ivan.noris at evolveum.com>
>>>> ivan.noris at evolveum.com> wrote:
>>>>
>>>>> Hi Jason,
>>>>>
>>>>> some more questions to understand.
>>>>>
>>>>> What is the "lifecycle" of the user?
>>>>>
>>>>> Assigning role will cause icfs:name generation for the correct OU.
>>>>>
>>>>> Are such roles assigned manually?
>>>>>
>>>>> Is the role for "DISABLED" users also assigned manually when user
>>>>> leaves?
>>>>>
>>>>> Has the user which we are speaking of, still assigned that "DISABLED"
>>>>> role?
>>>>>
>>>>> Thanks,
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 10/16/2015 10:47 PM, Jason Everling wrote:
>>>>>
>>>>> Ok so that makes a little more sense,
>>>>>
>>>>> The meta role is used so that when a user is created in the "GUI" and
>>>>> is assigned an Org, they will then be created in AD in the same Org. This
>>>>> is that we do not have manually type out the entire OU Path.
>>>>>
>>>>> Here is the role,
>>>>>
>>>>> <name>Metarole for Orgs</name>
>>>>> <description>
>>>>> This MetaRole will add the current assigned organization to
>>>>> the organization attribute.
>>>>> </description>
>>>>> <metadata>
>>>>> <createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp>
>>>>> <creatorRef oid="00000000-0000-0000-0000-000000000002"
>>>>> type="c:UserType"><!-- administrator --></creatorRef>
>>>>> <createChannel>
>>>>> <http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport>
>>>>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport
>>>>> </createChannel>
>>>>> </metadata>
>>>>> <inducement id="1">
>>>>> <focusMappings>
>>>>> <mapping>
>>>>> <source>
>>>>> <c:path>$immediateRole/name</c:path>
>>>>> </source>
>>>>> <target>
>>>>> <c:path>$focus/organization</c:path>
>>>>> </target>
>>>>> </mapping>
>>>>> </focusMappings>
>>>>> <order>2</order>
>>>>> </inducement>
>>>>> </role>
>>>>>
>>>>> What would you recommend I try?
>>>>>
>>>>> On Fri, Oct 16, 2015 at 3:39 PM, Ivan Noris <
>>>>> <ivan.noris at evolveum.com>ivan.noris at evolveum.com> wrote:
>>>>>
>>>>>> Hi Jason,
>>>>>>
>>>>>> Pavol and I are looking into the logs.
>>>>>>
>>>>>> It seems that the user has assigned organization OU=_DISABLED,OU=SHP
>>>>>> Students,DC=TEST,DC=LOCAL, oid cce5ec38-5246-4368-9e7b-6b049e01ef4d, which
>>>>>> sets the attribute "organization" (using the metarole).
>>>>>>
>>>>>> Additionally, the user template you posted, also sets the attribute
>>>>>> "organization", so after processing, user has TWO values of organization
>>>>>> attribute and this eventually fails in mapping for (AD) icfs:name.
>>>>>>
>>>>>> How is the first role assigned and why it's kept assigned..?
>>>>>>
>>>>>> Regards,
>>>>>> Ivan
>>>>>>
>>>>>>
>>>>>> On 10/16/2015 09:55 PM, Jason Everling wrote:
>>>>>>
>>>>>> But the users do not have 2 "organizations in their profile, they end
>>>>>> up with only 1,
>>>>>>
>>>>>> doesn't the "authoritive" flag ensure that only one value exists for
>>>>>> any multi value attribute?
>>>>>>
>>>>>> I attached the template that kicks off when a user is added back to
>>>>>> CSV
>>>>>>
>>>>>> JASON
>>>>>>
>>>>>> On Fri, Oct 16, 2015 at 2:52 PM, Jason Everling <
>>>>>> <jeverling at bshp.edu>jeverling at bshp.edu> wrote:
>>>>>>
>>>>>>> So yes, during the re adding of the user, a template kicks off,
>>>>>>> which all it does, is add back their original organization based on
>>>>>>> costCenter, which then causes them to be enabled and moved in into another
>>>>>>> AD container.
>>>>>>>
>>>>>>> On Fri, Oct 16, 2015 at 2:50 PM, Ivan Noris <
>>>>>>> <ivan.noris at evolveum.com>ivan.noris at evolveum.com> wrote:
>>>>>>>
>>>>>>>> This is strange.
>>>>>>>>
>>>>>>>> The two values have the same initial, so I start to believe that
>>>>>>>> the two values are produced by "organization" attribute.
>>>>>>>>
>>>>>>>> Can you please check if this user has one or two values of
>>>>>>>> user/organization? One seems to be "OU=DISABLED..."
>>>>>>>>
>>>>>>>> I.
>>>>>>>>
>>>>>>>> On 10/16/2015 09:02 PM, Jason Everling wrote:
>>>>>>>>
>>>>>>>> Here is the situation,
>>>>>>>>
>>>>>>>> I am running into a issue, if the user in the CSV has a middle
>>>>>>>> initial that was not there before and does not have that value in AD then I
>>>>>>>> get an error,
>>>>>>>>
>>>>>>>> Attempt to replace 2 values to a single-valued item
>>>>>>>> attributes/name; values: [PPV(String:cn=Charlie K.
>>>>>>>> Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL), PPV(String:cn=Charlie K.
>>>>>>>> Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL)]
>>>>>>>>
>>>>>>>> The above users original "name" in AD is
>>>>>>>> cn=Charlie Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL
>>>>>>>>
>>>>>>>> So when they are added to CSV with a middle initial it is trying to
>>>>>>>> build the new name like in the first example and fails.
>>>>>>>>
>>>>>>>> My AD DN code is,
>>>>>>>>
>>>>>>>> if (additionalName == null) {
>>>>>>>> return 'cn='+givenName+'
>>>>>>>> '+familyName+iterationToken+','+organization+'';
>>>>>>>> } else {
>>>>>>>> return 'cn='+givenName+' '+additionalName+'.
>>>>>>>> '+familyName+iterationToken+','+organization+'';
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> JASON
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> CONFIDENTIALITY NOTICE:
>>>>>>>> This e-mail together with any attachments is proprietary and
>>>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>>>> computer.
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Ing. Ivan Noris
>>>>>>>> Senior Identity Management Engineer & IDM Architect
>>>>>>>> evolveum.com evolveum.com/blog/
>>>>>>>> ___________________________________________________
>>>>>>>> "Semper Id(e)M Vix."
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> midPoint mailing list
>>>>>>>> <midPoint at lists.evolveum.com>midPoint at lists.evolveum.com
>>>>>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> JASON
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ing. Ivan Noris
>>>>>> Senior Identity Management Engineer & IDM Architect
>>>>>> evolveum.com evolveum.com/blog/
>>>>>> ___________________________________________________
>>>>>> "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> JASON
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>> Ing. Ivan Noris
>>>>> Senior Identity Management Engineer & IDM Architect
>>>>> evolveum.com evolveum.com/blog/
>>>>> ___________________________________________________
>>>>> "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> JASON
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>> Ing. Ivan Noris
>>>> Senior Identity Management Engineer & IDM Architect
>>>> evolveum.com evolveum.com/blog/
>>>> ___________________________________________________
>>>> "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>> --
>>> JASON
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer & IDM Architect
>>> evolveum.com evolveum.com/blog/
>>> ___________________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>> JASON
>>
>
>
>
> --
> JASON
>
--
JASON
--
CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential;
intended for only the recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use this e-mail or any
attachments for any purpose, or disclose all or any part of the contents to
any person. Any views or opinions expressed in this e-mail are those of the
author and do not represent those of the Baptist School of Health
Professions. If you have received this e-mail in error, or are not the
named recipient(s), you are hereby notified that any review, dissemination,
distribution or copying of this communication is prohibited by the sender
and to do so might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151017/2542ceda/attachment.htm>
More information about the midPoint
mailing list