[midPoint] Group Synchronisation - Active Directory
Martin Herbert
martinh at tahzoo.com
Wed Apr 20 13:49:16 CEST 2016
Hi Ivan,
Additionally also getting this error when trying to modify for example the Group name itself (not Display Name). Schema Handling for the group is listed below.
<objectType>
<kind>entitlement</kind>
<intent>group</intent>
<displayName>Default Group</displayName>
<default>true</default>
<objectClass>ri:CustomGroupObjectClass</objectClass>
<attribute>
<c:ref>ri:samAccountName</c:ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
</outbound>
<inbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<c:path>$focus/name</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref>icfs:description</c:ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/description</c:path>
</source>
</outbound>
<inbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<c:path>$focus/description</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref>icfs:name</c:ref>
<displayName>Distinguished Name</displayName>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
<expression>
<script>
<code>
'cn='+name+',ou=Groups,ou=REDACTED'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:cn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
</outbound>
<inbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<c:path>$focus/name</c:path>
</target>
</inbound>
</attribute>
<association>
<c:ref>.</c:ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<kind>entitlement</kind>
<intent>group</intent>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
</objectType>
Thanks
Martin
From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Martin Herbert <martinh at tahzoo.com<mailto:martinh at tahzoo.com>>
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Date: Wednesday, 20 April 2016 at 12:33
To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Group Synchronisation - Active Directory
Hi Ivan,
Association element definition is below.
<association>
<c:ref>.</c:ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<kind>entitlement</kind>
<intent>group</intent>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
MidPoint version is 3.3 with AD 2012 R2
Thanks
Martin
From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Ivan Noris <ivan.noris at evolveum.com<mailto:ivan.noris at evolveum.com>>
Organization: Evolveum, s.r.o.
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Date: Wednesday, 20 April 2016 at 12:30
To: "midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Group Synchronisation - Active Directory
Hi,
what is the association definition in the resource? (The <association> container in schema handling).
Regards,
Ivan
On 04/20/2016 12:17 PM, Martin Herbert wrote:
Hi Guys,
Trying to get Group synchronisation working with Active Directory. So far have the group being created without issue, but modifying the group suspends the Live Sync task with the following error.
Internal Error: Unknown entitlement direction null in association com.evolveum.midpoint.common.refinery.RefinedAssociationDefinition at 33244c2b in resource:bca287ee-054c-4cd4-b7e5-a1c5db470cea
Any ideas what I’m doing wrong?
Thanks
Martin
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160420/047a8430/attachment.htm>
More information about the midPoint
mailing list