[midPoint] Synchronizing same user with different resources (ObjectAlreadyExistsException)

Thu Jun 2 09:52:39 CEST 2016

Hi Anton,

one account can have only one shadow. The shadow contains information
about account "name" and identifier. In case of LDAP this is DN and
entryUUID/objectGUID.

Theoretically it should not happen to have two or more shadows for the
same account. Not sure about import, but reconciliation should get rid
of such shadows.

Ivan

On 06/02/2016 08:01 AM, Ерошенко Антон wrote:
>
> I figured out the problem. There were two shadows of one account, that
> seems to violates unique constraints. First shadow created during
> import process that passed normally, second shadow created during
> import process that failed for some reason. I delete one shadow
> manually, so sync works now.
>
> How many shadows can we have for one account? How to avoid creation of
> multiple shadows of one account?
>
>  
>
>  
>
>  
>
>  
>
>  
>
> Hello!
>
> I’m trying to import accounts from AD resource. These accounts were
> already imported (LINKED) from another resource configured with same
> AD . So, users are the same, ADs are the same, resources
> configurations only differ.  I would like to get midpoint user linked
> to two projections (accounts).
>
> Midpoint sync process set UNLINKED status for accounts, but then fails
> them and shows ObjectAlreadyExistsException instead of link the
> account to midpoint user.
>
> Does it mean that its impossible to have two similar accounts for the
> same midpoint user? Or something wrong? 
>
>  
>
> Resource config http://pastebin.com/XX6KrcQB
>
>  
>
> Exception class com.evolveum.midpoint.util.exception.SystemException
> thrown by object change listener model synchronization service:
> com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Too
> many iterations (6) for account(ID {.../resource/instance-3}objectGUID
> = [ 2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active Directory
> Advanced Sync 1)): cannot determine values that satisfy constraints:
> Found more than one object with attribute {.../resource/instance-3}dn
> = [ CN=Vilk,DC=igp,DC=local]
>
> com.evolveum.midpoint.util.exception.SystemException:
> com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Too
> many iterations (6) for account(ID {.../resource/instance-3}objectGUID
> = [ 2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active Directory
> Advanced Sync 1)): cannot determine values that satisfy constraints:
> Found more than one object with attribute {.../resource/instance-3}dn
> = [ CN=Vilk,DC=igp,DC=local ]
>
>                 at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:298)
> ~[model-impl-3.3.1.jar:na]
>
>                 at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService$AjcClosure1.run(SynchronizationService.java:1)
> ~[model-impl-3.3.1.jar:na]
>
>  
>
> Thanks for any suggestions.
>
> Anton.
>
>  
>
>  
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160602/abfa4a6e/attachment.htm>