[midPoint] Synchronizing same user with different resources (ObjectAlreadyExistsException)

Ivan Noris ivan.noris at evolveum.com
Tue May 31 18:51:07 CEST 2016 

Hi Anton,

first of all, what are you trying to achieve?

Yes, midPoint is capable to have multiple accounts linked to the same
user. Even multiple accounts (better: projections) on the same resource.
But if the various accounts are on the same resource, schema handling
configuration must define intents for them, and synchronization
configuration must define conditions which would then identify the
intent and the correlation rule.

Back to your problem: the exception seems to be because midPoint is
trying to provision an account which already exists. (The same DN, but
correlation rule does not declare that the currently processed user is
the owner of that account.) The iteration is configured
(maxIterations=5), but as iterationToken is used nowhere in your
configuration, midpoint stops the retrying when the maxIterations is
exceeded.

My first GUESS is that midPoint tries to synchronize the account
(UNLINKED) by running the inbound mappings. But I see also outbound
mappings, and I don't see outbound mapping for ri:dn (DN on AD).

Why do you have also outbound mappings? Is this intentional? If so, why
there is no mapping for ri:dn?

I'd recommend to remove the outbound mappings from this resource, and
then if the correlation expression is correct, you should have two
projections for the users.

I also see that:

com.evolveum.midpoint.util.exception.SystemException:
com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Too
many iterations (6) for account(ID {.../resource/instance-3}objectGUID =
[ 2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active Directory Advanced
Sync 1)): cannot determine values that satisfy constraints: Found more
than one object with attribute {.../resource/instance-3}dn = [
CN=Vilk,DC=igp,DC=local ]


.. this is actually referencing the other AD resource named "Active
Directory Advanced Sync 1" ...

I may still be able to find another hint.

BUT beware: if you have two resources which point to the same directory,
and the accounts in both resources are physically the same, you would
have problems when you delete one account from midPoint - the other
would dissapear (as it's the same account).

So my first question still applies: what are you trying to achieve?

Regards,
Ivan

On 05/31/2016 03:57 PM, Ерошенко Антон wrote:
>
> Hello!
>
> I’m trying to import accounts from AD resource. These accounts were
> already imported (LINKED) from another resource configured with same
> AD . So, users are the same, ADs are the same, resources
> configurations only differ.  I would like to get midpoint user linked
> to two projections (accounts).
>
> Midpoint sync process set UNLINKED status for accounts, but then fails
> them and shows ObjectAlreadyExistsException instead of link the
> account to midpoint user.
>
> Does it mean that its impossible to have two similar accounts for the
> same midpoint user? Or something wrong? 
>
>  
>
> Resource config http://pastebin.com/XX6KrcQB
>
>  
>
> Exception class com.evolveum.midpoint.util.exception.SystemException
> thrown by object change listener model synchronization service:
> com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Too
> many iterations (6) for account(ID {.../resource/instance-3}objectGUID
> = [ 2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active Directory
> Advanced Sync 1)): cannot determine values that satisfy constraints:
> Found more than one object with attribute {.../resource/instance-3}dn
> = [ CN=Vilk,DC=igp,DC=local]
>
> com.evolveum.midpoint.util.exception.SystemException:
> com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Too
> many iterations (6) for account(ID {.../resource/instance-3}objectGUID
> = [ 2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
> resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active Directory
> Advanced Sync 1)): cannot determine values that satisfy constraints:
> Found more than one object with attribute {.../resource/instance-3}dn
> = [ CN=Vilk,DC=igp,DC=local ]
>
>                 at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:298)
> ~[model-impl-3.3.1.jar:na]
>
>                 at
> com.evolveum.midpoint.model.impl.sync.SynchronizationService$AjcClosure1.run(SynchronizationService.java:1)
> ~[model-impl-3.3.1.jar:na]
>
>  
>
> Thanks for any suggestions.
>
> Anton.
>
>  
>
>  
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160531/02757e60/attachment.htm>

More information about the midPoint mailing list