[midPoint] Assigned AD group does not reappear when 1 of 2 groups is deleted from AD user

Ivan Noris ivan.noris at evolveum.com
Wed Apr 27 16:46:00 CEST 2016 

Aivo,

yes that's exactly what I wanted to suggest, but I haven't time to
answer/check your configs yet.
I hope that's it.

Rule of thumb #1: if you wish the reconciliation to enforce some value,
mapping strength must be strong.
Rule of thumb #2: default strength=normal.

Normal strength mapping is applied whenever source attribute(s) change.
Not during reconciliation/synchronization.

Regards,
Ivan

On 04/27/2016 04:24 PM, Aivo Kuhlberg wrote:
>
> I think I solved the problem now. I added to the groups metarole
> strength parameter as Ivan suggested:
>     <inducement id="2">
>         <construction>
>             <resourceRef oid="f25fd804-12ba-41e2-a961-c72eb5d9ab5b"
> type="c:ResourceType"/>
>             <kind>account</kind>
>             <intent>default</intent>
>             <association>
>                 <c:ref >ri:group</c:ref>
>                 <outbound>
>                     *<strength>strong</strength>*
>                     <expression>
>                         <associationFromLink>
>                             <projectionDiscriminator>
>                                 <kind>entitlement</kind>
>                                 <intent>group</intent>
>                             </projectionDiscriminator>
>                         </associationFromLink>
>                     </expression>
>                 </outbound>
>             </association>
>         </construction>
>         <order>2</order>
>     </inducement>
>
> Thanks for your help!
>
> Aivo Kuhlberg
>
> ------------------------------------------------------------------------
> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelAivo
> Kuhlberg <aivo.kuhlberg at rmit.ee>
> *Saadetud:* 27. aprill 2016 15:49
> *Adressaat:* midPoint General Discussion
> *Teema:* Re: [midPoint] Assigned AD group does not reappear when 1 of
> 2 groups is deleted from AD user
>  
>
> Hi Gusto, Ivan,
> My AD sync resource is here: http://pastebin.com/4McckbmY
> Imported AD groups have following metarole assignment:
> http://pastebin.com/z4pNS3hq
> Regards,
> Aivo Kuhlberg
>
> ------------------------------------------------------------------------
> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelIvan
> Noris <ivan.noris at evolveum.com>
> *Saadetud:* 27. aprill 2016 14:56
> *Adressaat:* midpoint at lists.evolveum.com
> *Teema:* Re: [midPoint] Assigned AD group does not reappear when 1 of
> 2 groups is deleted from AD user
>  
> Hi Aivo,
> also please show us how associations for groups are configured in the
> roles that put users to that groups.
> The mappings should be <strength>strong</strength> to apply during recon.
>
> I
>
> On 04/27/2016 01:45 PM, Pálos Gustáv wrote:
>> Hi,
>>
>> please send me a resource config XML
>> Do you use <tolerant>false</tolerant> in group attribute
>> in schemaHandling?
>>
>> Gusto
>>
>>
>> 2016-04-27 13:33 GMT+02:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee
>> <mailto:aivo.kuhlberg at rmit.ee>>:
>>
>>     I noticed today strange behavior about midPoint role
>>     reassignment. I have set up AD sync and imported users and also
>>     groups as roles. I am testing user who have AD resource
>>     assignment in midPoint and also 2 AD-group-based role assignments.
>>     At first I remove in AD one of the assigned role-based groups
>>     from user, but not both groups. Then I run recomputation task in
>>     midPoint.
>>     Result: previously deleted group does not appear again to AD user
>>     If I remove both groups in AD then after recomputation both
>>     groups appear again in AD user
>>     Is this a bug or I am missing something?
>>
>>     I use midPoint 3.3.1 with AD connector
>>
>>
>>     Thanks,
>>
>>     Aivo Kuhlberg
>>
>>
>>     ------------------------------------------------------------------------
>>     Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
>>     tunnistatud teavet.
>>     This e-mail may contain information which is classified for
>>     official use.
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
>   Ing. Ivan Noris
>   Senior Identity Management Engineer & IDM Architect
>   evolveum.com                     evolveum.com/blog/
>   ___________________________________________________
>   "Semper ID(e)M Vix."
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160427/51de696b/attachment.htm>

More information about the midPoint mailing list